CVE-2024-37406
📋 TL;DR
This vulnerability in Brave Android browsers displays domain names in the Brave Shields popup with right-side truncation instead of left-side truncation, potentially allowing attackers to create malicious domains that appear legitimate. Users of Brave Android browsers are affected when viewing websites with carefully crafted domain names.
💻 Affected Systems
- Brave Browser for Android
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users could be tricked into interacting with malicious websites that appear to be legitimate domains, potentially leading to credential theft, malware installation, or financial fraud.
Likely Case
Phishing attacks where users mistakenly trust malicious domains that appear similar to legitimate ones due to the display truncation issue.
If Mitigated
Users who carefully inspect full URLs in the address bar rather than relying on the Shields popup display would be less susceptible to this confusion.
🎯 Exploit Status
Exploitation requires creating domains that appear legitimate when truncated from the right side, which is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.67.116
Vendor Advisory: https://hackerone.com/reports/2501378
Restart Required: Yes
Instructions:
1. Open Google Play Store 2. Search for Brave Browser 3. Tap Update 4. Restart the browser after update completes
🔧 Temporary Workarounds
Disable Brave Shields Popup
androidPrevent the vulnerable display by disabling the Shields popup feature
Settings > Shields > Disable 'Show Shields popup'
Use Address Bar for Domain Verification
allAlways verify domains using the full address bar rather than the Shields popup
🧯 If You Can't Patch
- Switch to alternative browsers until patched
- Educate users to always check full URLs in address bar before interacting with sites
🔍 How to Verify
Check if Vulnerable:
Check Brave Android version in Settings > About Brave. If version is below 1.67.116, the system is vulnerable.Check Version:
Settings > About BraveVerify Fix Applied:
After updating, verify version is 1.67.116 or higher in Settings > About Brave.📡 Detection & Monitoring
Log Indicators:
- Unusual domain patterns in browser logs
- User reports of suspicious domain displays
Network Indicators:
- Connections to domains with long subdomains designed to exploit truncation
SIEM Query:
Not applicable for client-side browser vulnerability