The open source DuckDuckGo Privacy Browser for Android version 5.26.0 with more than 5 million installs makes it possible for potential attackers to launch URL spoofing attacks targeting the app’s users by exploiting an address bar spoofing vulnerability. Security researcher Dhiraj Mishra found the flaw tracked as CVE-2019-12329 and reported it to the apps’ security team through their bug bounty program on the HackerOne bug bounty and vulnerability coordination platform. Unaware victims can be redirected to domains camouflaged as high-profile websites that would actually enable the attackers to steal their targets’ info either by using phishing landing pages or by dropping malware on their computers via malvertising campaigns.
Source: https://www.bleepingcomputer.com/news/security/duckduckgo-android-browser-vulnerable-to-url-spoofing-attacks/