Xiaomi: after the antivirus, its web browsers are also vulnerable

It's a hard blow for Xiaomi, who's the target of security researchers right now. After the manufacturer's application related to security, it is the turn of his web browsers to be pointed at. These present a security flaw that allows a malicious site to pretend to be something it is not.

Discovered by researcher Arif Khan, this CVE-2019-10875 flaw allows to deceive a user by modifying the URL displayed in the address bar of Mi Browser browsers - integrated natively on all smartphones of the brand - and Mint Browser. To do this, simply add a variable ?q= in the URL, followed by an existing address. For example, the URL http://www.frandroid.com/?q=www.facebook.com displays the FrAndroid home page, but under the URL of the famous social network.

We can therefore imagine a hacker sending a link to a user by doing what he is not and asking his victim to click on a link similar to that of his bank or access provider, for example to retrieve private information.

This vulnerability affects all available Xiaomi smart phones, including the latest ones such as the Xiaomi Mi 9 or the Redmi Note 7. Although warned of the problem, Xiaomi confirmed to The Hacker News that the flaw had still not been patched, which we quickly noticed (see screenshot above).

One point also raises conspiracy concerns: this loophole would only affect smart phones marketed internationally and not those offered in China. Some people therefore see it as a problem that was deliberately left behind, some people think that Xiaomi paid the security researcher for his discovery (as is customary when a security breach is discovered), but do not seem to act to correct it.

Knowing that this vulnerability is linked to an application and not directly to the system, it is sufficient to use another web browser such as Google Chrome or Firefox for example to protect yourself.

	Extensive Product Selection ● Over 300,000 products ● 20 different categories ● 15 local warehosues ● Multiple top brands		Convenient Payment ● Global payment options: Visa, MasterCard, American Express ● PayPal, Western Union and bank transfer are accepted ● Boleto Bancario via Ebanx (for Brazil)
	Prompt Shipping ● Unregistered air mail ● Registered air mail ● Priority line ● Expedited shipping		Dedicated After-sales Service ● 45 day money back guarantee ● 365 day free repair warranty ● 7 day Dead on Arrival guarantee (DOA)