Md Arif Khan
| Md Arif Khan | |
|---|---|
| Born | |
| 🏳️ Nationality | Indian |
| 💼 Occupation | Security Researcher |
| Known for | MIUI vulnerabilities[1][circular reference] |
| 🌐 Website | https://www.andmp.com |
Arif Khan (a.k.a Md Arif Khan) is an Indian security researcher, and ethical hacker, who is best known in the community for having found and disclosed critical browser security vulnerabilities in Xiaomi MIUI's native browser, and Mint browser. Khan has also been featured in the news.[2] like ZDNet[3][4], Sophos[5] for his security research work, which includes finding Browser URL Address Bar Spoofing vulnerabilities in the UC Browser and UC Browser Mini[6], and for discovering a critical MIUI Lock screen bypass vulnerability[7]
Career[edit]
Khan is an ethical hacker and has reported vulnerabilities to several renowned organizations like Google[8], CERN[9], Reddit, and Xiaomi[10][11] and is listed on their security hall of fame. Khan has also helped Government organizations[12] by finding and reporting security issues. He has worked as a security consultant and is currently part of the Synack Red Team.[13]
Xiaomi MIUI Native Browser Security Research[edit]
In April 2019, Khan discovered a Browser Address bar spoofing vulnerability in MIUI's native browser and in Xiaomi's Mint Browser[14], but only in the Indian and certain overseas versions and not in the Chinese version. Attackers could trick victims into visiting malicious websites by pretending as a legitimate website by exploiting this vulnerability. Khan reported his findings to Xiaomi and at the time of writing his blog post, the vulnerability in the browsers were still unpatched. His findings were subsequently published by various news media publications like NDTV[7], Firstpost[15], Digit (magazine)[2], Times Now[16], MediaNama[17] and many more. Shortly after the initial report and Xiaomi's fix, Khan noted that this fix was bypassed several times.[18][19]
Later, Quarkslab performed an in-depth application diffing to analyze the root cause of the vulnerability.[20]
UC Browser Address Spoofing Vulnerability[edit]
In May 2019, Khan disclosed an URL Address Bar spoofing vulnerability in UC Browser and UC Browser Mini[21]. At the time of his writing, even after having reported the vulnerabilities to the browser vendor, they had not patched it. The vulnerability allowed any malicious website to pretend as legitimate website tricking its victims.[6][22][23]
Xiaomi MIUI lock screen bypass Vulnerability[edit]
In April 2019, Khan had published his findings about a vulnerability that bypassed MIUI's lock screen to extract sensitive user information[24], which was only present in the Indian version with Glance. The vulnerability allowed clipboard data and auto-fill data extraction, even though lock screen protection was enabled. This required Glance to be enabled, however Khan notes, an attacker could enable Glance on the lock screen without unlocking the device.[25][26]
South Carolina Capital website Security Flaw[edit]
In April 2019, Khan averted a potential security breach in South Carolina capital website by alerting them of a critical security vulnerability[27] that exposed sensitive database and email credentials[28]. The vulnerability was due to an application security misconfiguration in their server. With the help of CNET[29], the issue was communicated to the city officials who subsequently fixed it and avoided a potential data breach.
References[edit]
- ↑ "Xiaomi Browser and MIUI lock screen vulnerabilities".
- ↑ 2.0 2.1 NewsDesk, Digit (2019-04-08). "Xiaomi's Mi browser, Mint Browser reportedly affected with serious URL spoofing vulnerability | Digit". digit.in. Retrieved 2020-11-28.
- ↑ Cimpanu, Catalin. "Facebook rolls out 'Whitehat Settings' to help bug hunters analyze traffic in its mobile apps". ZDNet. Retrieved 2020-11-28.
- ↑ Cimpanu, Catalin. "Wappalyzer discloses security breach after hacker starts emailing users". ZDNet. Retrieved 2020-11-28.
- ↑ "Facebook's Whitehat Settings lets bug-hunters dial back app security". Naked Security. 2019-03-27. Retrieved 2020-11-28.
- ↑ 6.0 6.1 "UC Browser for Android Vulnerable to URL Spoofing Attacks". BleepingComputer. Retrieved 2020-11-28.
- ↑ 7.0 7.1 "Xiaomi Patches MIUI Lock Screen Vulnerability that Leaked Clipboard Data". NDTV Gadgets 360. Retrieved 2020-11-28.
- ↑ "Bughunter". bughunter.withgoogle.com. Retrieved 2020-11-28.
- ↑ "CERN Computer Security Information". security.web.cern.ch. Retrieved 2020-11-28.
- ↑ "Xiaomi Security Center". sec.xiaomi.com. Retrieved 2020-11-28.
- ↑ "Xiaomi Security Center". sec.xiaomi.com. Retrieved 2020-11-28.
- ↑ Ng, Alfred. "South Carolina capital website had a security flaw that exposed passwords". CNET. Retrieved 2020-11-28.
- ↑ Khan, Arif. "Arif Khan's LinkedIn page". Unknown parameter
|url-status=ignored (help) - ↑ "Xiaomi URL Address Bar spoofing w/ SSL vulnerability or, CVE-2019-10875 - Was it intentionally kept in the global versions by Xiaomi? - Andmp | A blog about infosec, bug hunting and more!". www.andmp.com. Retrieved 2020-11-28.
- ↑ "Xiaomi's Mi, Mint browsers reportedly have a security flaw letting hackers spoof URLs- Technology News, Firstpost". Tech2. 2019-04-05. Retrieved 2020-11-28.
- ↑ "Xiaomi's Mi Browser, Mint Browser affected by security flaw; lets hackers steal passwords, bank detail: Report". www.timesnownews.com. Retrieved 2020-11-28.
- ↑ "Xiaomi warned about critical flaw in its two Android browsers but does nothing". MediaNama. 2019-04-08. Retrieved 2020-11-28.
- ↑ "0day Alert: Bypassing CVE-2019-10875 or, Xiaomi's Mint Browser's URL Spoofing patch: Discovered by Renwa - Andmp | A blog about infosec, bug hunting and more!". www.andmp.com. Retrieved 2020-11-28.
- ↑ "0day Alert: URL Spoofing Bypassed for latest Mint Browser 1.6.4 by Renwa - Andmp | A blog about infosec, bug hunting and more!". www.andmp.com. Retrieved 2020-11-28.
- ↑ "Android Application Diffing: CVE-2019-10875 Inspection". blog.quarkslab.com. Retrieved 2020-11-28.
- ↑ "[Advisory] Unpatched URL Address Bar Spoofing Vulnerability in UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192: With the same old one-liner payload... - Andmp | A blog about infosec, bug hunting and more!". www.andmp.com. Retrieved 2020-11-28.
- ↑ Yedakula, Kalyan. "Latest versions of UC Browser and UC Browser Mini Android apps vulnerable to URL spoofing attacks | Cyware Hacker News". cyware-social-nuxt. Retrieved 2020-11-28.
- ↑ "Updated version of UC browser for Android is not safe - a security research shows". Retrieved 2020-11-28.
- ↑ "[Unpatched Vulnerability] CVE-2019-11015: Lock Screen Auth Bypass leading to Sensitive Information Disclosure and an Improper Access Control issue in Xiaomi MIUI OS (latest stable releases affected) - Andmp | A blog about infosec, bug hunting and more!". www.andmp.com. Retrieved 2020-11-28.
- ↑ "Xiaomi Patches MIUI Lock Screen Vulnerability that Leaked Clipboard Data". NDTV Gadgets 360. Retrieved 2020-11-28.
- ↑ "Researcher finds MIUI lock screen authentication vulnerability leading to sensitive information disclosure [Update: Fixed in latest update]". www.fonearena.com. Retrieved 2020-11-28.
- ↑ "Flaw in Columbia, S.C., website exposed city passwords". StateScoop. 2019-04-26. Retrieved 2020-11-28.
- ↑ "Flaw in Columbia, S.C., website search tool exposed database, SMPT server passwords". SC Media. 2019-04-26. Retrieved 2020-11-28.
- ↑ Ng, Alfred. "South Carolina capital website had a security flaw that exposed passwords". CNET. Retrieved 2020-11-28.
This article "Md Arif Khan" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Md Arif Khan. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
