Security Experts:

Connect with us

Hi, what are you looking for?



Dangerous “Same Origin Policy” Bypass Flaw Found in Android Browser

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

The issue, which has been assigned the CVE identifier CVE-2014-6041, was first reported by Pakistan-based security researcher Rafay Baloch in late August. Baloch found that the Android Open Source Platform (AOSP) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass. He tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

After Baloch published a blog post describing the issue, researchers from security firm Rapid7 also conducted an analysis and determined that AOSP browsers shipped with versions of the operating system prior to Android 4.4 are affected.

The SOP is a security feature that’s designed to make it possible for pages from the same site to interact, while preventing unrelated websites from interfering with each other. By bypassing the SOP, an attacker can gain access to content from the websites opened by the victim. An attacker simply needs to set up a malicious website, which enables the harvest of data from the sites opened in different tabs. This can be done by “malforming a javascript: URL handler with a prepended null byte,” Rapid7 said.

“Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf,” Rapid7’s Tod Beardsley explained in a blog post. “This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.”

After the introduction of Chrome for Android, Google stopped shipping the AOSP browser with Android. However, Android versions prior to 4.4 (KitKat), which have the vulnerable application installed by default, represent 75% of the Android ecosystem.

Baloch said he had notified Google of the existence of the flaw “way before” he published his blog post. Initially, Google’s security team could not reproduce the issue, but they later confirmed it and claimed to be “working internally on a suitable fix.”

In the meantime, Rapid7 has developed a Metasploit module that exploits the vulnerability. Researchers have also promised to publish a video demonstrating an attack.

“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is,” Beardsley explained.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.