How to Block 'Address Bar Spoofing' Attacks on Your Mobile Browser

We write about web browsers at lot at Lifehacker—so much that I feel as if talking about the latest Chrome, Firefox, Edge, or Safari features is a weekly kind of a conversation you and I have. I confess, even I get a little fatigued, but it’s important that we keep chatting, because having a browser that’s updated with the latest features—and security patches—is good for your digital life.

Honestly, I could care less if you use any of the new features that your browser’s developer rolls out from time to time—if you’re fine with surfing the web however as-is and don’t need any more bells or whistles to distract you from your daily online habits, that’s perfectly fine. Never feel you have to do more if you don’t want to.

But don’t take my suggestion as a sign that you should ignore when your browser’s developer releases a new version. Because these update aren’t just about features. They’ll also contain various under-the-hood fixes for mystifying bugs and security vulnerabilities. And that’s what you’ll want to have the day they’re released, because they help you hop around the web safer.

Case in point: There’s a big piece of research going around right now about how some browsers—including the mobile versions of Opera and Safari—are, or were, vulnerable to some “JavaScript shenanigans” that a website could use to spoof its actual URL in your browser’s address bar. As Rapid7 Director of Research Tod Beardsley recently wrote for the company’s blog:

In all cases, the victim would have to visit a website that the attacker can post executable javascript to. Normally, this wouldn’t include websites like Facebook, Reddit, Twitter, or other online forums (they do a pretty good job in protecting against aforementioned Javascript shenanigans), but would include a website that was set up by the attacker and sent to the victim through a phishing email, a phishing text me

ssage, or a post to a popular forum. So, for example, imagine a text message from a spoofed phone number that says, ‘There is an important message from your payment processor, click here” and then you click without really looking, and end up on a web page that clearly (but falsely) says it’s Paypal, and hey, can you give up your password real quick?’

Sounds scary, right? Well, the good news is that major browsers affected by this issue—namely, Safari and Opera Mini/Touch—were already patched prior to Beardsley going public with his report. For third-party browsers you’ve downloaded, like Opera, this means that all you have to do is make sure you’re regularly keeping them updated via Apple’s App Store or the Google Play Store.

That’s it! Just keep updating your apps. Never stop updating your apps.

Safari Is Now the Best Browser for Blocking Third-Party Tracking Read More

For Safari in particular, you’ll want to make sure that you’re always running the latest version of iOS that you can get your hands on, as Apple doesn’t update the browser via its App Store, like you might expect. Instead, Apple pushes browser updates via system updates—which can be in the form of a major iOS release (iOS 13 > iOS 14), or an incremental release (iOS 14.0.1, for example).

While most modern iPhones should update to new versions of iOS automatically, you can check to see if this setting is enabled and update your device manually, if applicable. Just visit Settings > General > Software Update. It’s as easy as that, and it’s something you shouldn’t dawdle about doing. Again, it’s totally fine to not care about the features found in a new browser version, or even a new operating system version. Update your apps, and operating system, to keep yourself as safe and secure as possible. It’s simple, really.