CVE-2022-38163 - Understanding the F-Secure SAFE Browser Drag-and-Drop Address Bar Spoof Vulnerability

Security vulnerabilities are often spooky, but sometimes they’re surprisingly easy to exploit. One such case is CVE-2022-38163, a drag-and-drop spoofing flaw found in F-Secure SAFE Browser for Android and iOS (version 19. and earlier). It allows a malicious webpage to trick users into believing they’re at a safe web address when they are not. In this post, we’ll break down the vulnerability, show how it works, provide code examples, and share ways to stay safe.

What is CVE-2022-38163?

This vulnerability is about how F-Secure SAFE Browser handles the drag-and-drop of links into the address bar. If a user drags a link provided by a malicious website into the SAFE Browser’s address bar, it’s possible for the attacker to spoof what gets displayed — fooling users into thinking they are on a trusted website, when in fact, they're not.

Vulnerable Products:

F-Secure SAFE Browser for iOS (version 19. and below)

Official Advisory:  
F-Secure Advisory for CVE-2022-38163

Let’s break it down step-by-step

1. The Attacker’s Page: An attacker creates a webpage containing a draggable link (for example, one labeled www.paypal.com).

User Drag-and-Drops: The user drags that link into the browser’s address bar.

3. The Spoof: Due to improper handling, the address bar might show the *displayed URL* (e.g., www.paypal.com), while actually loading a very different, malicious URL.

This trick is highly effective for phishing attacks because the address bar is what most users rely on to confirm a website’s authenticity.

Here’s a simple HTML page that would be used as a bait

<!-- Spoofing link example -->
<!DOCTYPE html>
<html>
<head>
  <title>Drag-and-Drop Spoof Demo</title>
</head>
<body>
  <p>
    Drag this link into your address bar:
    <a href="https://evil.example.com"; draggable="true">https://www.paypal.com</a>;
  </p>
</body>
</html>

What’s happening here?
- The displayed text is https://www.paypal.com (trusted!).
- The actual link is https://evil.example.com.

In a vulnerable version of SAFE Browser, dragging the link to the bar could show "www.paypal.com" in the address, but you’d actually be at "evil.example.com".

User drags the link into address bar, expecting to go to a trusted domain.

4. Browser address bar is spoofed to show the trusted domain, but the page loaded is the attacker’s.

This kind of phishing is dangerous because it outsmarts the most cautious users.

Why Is This Serious?

- Defeats the Address Bar: The address bar is foundational to browser security and user trust. If you can’t trust it, you’re at risk.
- Bypasses SSL/TLS Indicators: Even HTTPS and green-lock signs don’t help if the real site is hidden.

Mitigation & Solution

Fixed in version 19.1:  
Update F-Secure SAFE Browser to version 19.1 or higher as soon as possible.

More Information

- F-Secure CVE-2022-38163 Advisory
- National Vulnerability Database Entry

Final Thoughts

Address bar spoofing through drag-and-drop seems basic, but it’s a powerful trick that targets even careful users. Make sure to update your F-Secure SAFE Browser to stay protected, and remind your friends and family about the dangers of dragging and dropping links — especially on unfamiliar websites.

Timeline

Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/29/2022 18:07:00 UTC