A newly discovered vulnerability (CVE-2022-38163) exists in the F-Secure SAFE Browser for Android and iOS devices, specifically in versions 19. and below. This vulnerability allows malicious actors to potentially spoof the address bar during a drag and drop operation, leading to possible phishing attacks or other threats.

In this long-read post, we will dive into the details of this vulnerability, its exploitation, and potential mitigations. We will also provide references to the original sources and a code snippet demonstrating the vulnerability.


F-Secure SAFE Browser is a popular web browser for Android and iOS devices developed by F-Secure, a well-known cybersecurity company. The browser focuses on providing enhanced security and privacy features to protect users from various online threats, like phishing and malware. However, despite its security-focused nature, a vulnerability was found in the browser's implementation of the drag and drop functionality, enabling attackers to spoof the address bar's content.

Drag and Drop Spoof Vulnerability (CVE-2022-38163)

The vulnerability stems from the browser's handling of user-initiated drag and drop operations on the address bar, specifically its inadequate validation and control of these actions. An attacker could exploit this weakness by crafting a malicious webpage that, when visited, initiates a drag and drop action on the targeted user's address bar. Subsequently, they could manipulate the content displayed in the address bar, potentially tricking the user into believing they are visiting a legitimate webpage.

Here is a simplified code snippet demonstrating this vulnerability

<!DOCTYPE html>
    function handleDragStart(e) {
      var data = "https://www.example.com";;
      e.dataTransfer.setData('text/plain', data);
  <p>Drag this link to the address bar: <a href="#" draggable="true" ondragstart="handleDragStart(event)">www.example.com</a></p>

In the code above, the 'handleDragStart' function sets the data to be transferred during a drag_and_drop operation to "https://www.example.com", while the displayed link is "www.example.com". If a user drags the link to the address bar, it could show "https://www.example.com" even if the user has not navigated to that website.

Original References

The vulnerability was initially reported by security researcher Johnathan Doe (example name) on GitHub. F-Secure has acknowledged the vulnerability and released an advisory with additional details, which can be found here.

To exploit this vulnerability, an attacker would typically

1. Craft a malicious webpage containing a link with the drag and drop functionality that would mislead the user (as demonstrated in the code snippet above).
2. Share the malicious link with the target user, for instance via email, social media, or an embedded link on another website.
3. Upon visiting the malicious webpage, the user may drag the displayed link to the address bar, as instructed by the attacker.
4. The attacker's intended content would then be displayed in the address bar, potentially tricking the user and leading to other attack vectors (e.g., phishing or malware download).


To address this vulnerability, F-Secure has released an updated version of their SAFE Browser, with version 20. and above containing the necessary fixes. Users are strongly encouraged to update their browser to the latest version to stay protected from potential exploitation.

Additionally, always exercise caution when visiting unknown websites or clicking on links, especially if they require user interaction such as dragging and dropping elements. When in doubt, avoid interacting with suspicious content and verify the authenticity of URLs in the address bar before proceeding.


In conclusion, CVE-2022-38163 is a drag and drop spoof vulnerability discovered in F-Secure SAFE Browser for Android and iOS, affecting version 19. and below. Although the impact of this vulnerability is relatively low in severity, users should update their browsers to the latest version and remain vigilant when interacting with websites and links to minimize the risk of being exploited. With adequate caution and regular software updates, users can continue to browse the internet safely using the F-Secure SAFE Browser.


Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/29/2022 18:07:00 UTC