In Lightning Browser (Android) version 5.1.0, URLs containing very long subdomains are truncated in the address bar in a way that may hide or reduce the visibility of the registrable domain (eTLD+1).
This can lead to URL origin confusion, where users cannot clearly determine the actual domain of the website.
Affected Version
Lightning Browser (Android)
Version: 5.1.0
Steps to Reproduce
Open Lightning Browser on Android
Navigate to:
https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ Wait for the page to fully load
Observe the address bar
Actual Result
The address bar shows only the beginning portion of the URL
The actual domain (badssl.com) is truncated or not clearly visible
Expected Result
The browser should always clearly display the registrable domain (eTLD+1)
Critical origin information should not be hidden or truncated
Security Impact
An attacker could craft a URL such as:
https://secure-login-bank-verification-very-long-subdomain.attacker.com/
Due to truncation:
Users may only see:
secure-login-bank-verification...
And may not notice the real domain (attacker.com)
This may increase the risk of:
Phishing attacks
Credential harvesting
User trust abuse
References
Chromium issue (similar behavior):
https://crbug.com/chromium/705778
Related discussion:
https://issues.chromium.org/issues/452209495
Additional Note
This issue has been observed in multiple browsers, but it appears that Lightning Browser is still affected. This may indicate that URL elision or address bar rendering logic does not properly prioritize displaying the registrable domain.
In Lightning Browser (Android) version 5.1.0, URLs containing very long subdomains are truncated in the address bar in a way that may hide or reduce the visibility of the registrable domain (eTLD+1).
This can lead to URL origin confusion, where users cannot clearly determine the actual domain of the website.
Affected Version
Lightning Browser (Android)
Version: 5.1.0
Steps to Reproduce
Open Lightning Browser on Android
Navigate to:
https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/Wait for the page to fully loadObserve the address bar
Actual Result
The address bar shows only the beginning portion of the URL
The actual domain (badssl.com) is truncated or not clearly visible
Expected Result
The browser should always clearly display the registrable domain (eTLD+1)
Critical origin information should not be hidden or truncated
Security Impact
An attacker could craft a URL such as:
https://secure-login-bank-verification-very-long-subdomain.attacker.com/Due to truncation:
Users may only see:
secure-login-bank-verification...And may not notice the real domain (attacker.com)
This may increase the risk of:
Phishing attacks
Credential harvesting
User trust abuse
References
Chromium issue (similar behavior):
https://crbug.com/chromium/705778
Related discussion:
https://issues.chromium.org/issues/452209495
Additional Note
This issue has been observed in multiple browsers, but it appears that Lightning Browser is still affected. This may indicate that URL elision or address bar rendering logic does not properly prioritize displaying the registrable domain.