Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Dangerous “Same Origin Policy” Bypass Flaw Found in Android Browser

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

The issue, which has been assigned the CVE identifier CVE-2014-6041, was first reported by Pakistan-based security researcher Rafay Baloch in late August. Baloch found that the Android Open Source Platform (AOSP) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass. He tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

After Baloch published a blog post describing the issue, researchers from security firm Rapid7 also conducted an analysis and determined that AOSP browsers shipped with versions of the operating system prior to Android 4.4 are affected.

The SOP is a security feature that’s designed to make it possible for pages from the same site to interact, while preventing unrelated websites from interfering with each other. By bypassing the SOP, an attacker can gain access to content from the websites opened by the victim. An attacker simply needs to set up a malicious website, which enables the harvest of data from the sites opened in different tabs. This can be done by “malforming a javascript: URL handler with a prepended null byte,” Rapid7 said.

“Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf,” Rapid7’s Tod Beardsley explained in a blog post. “This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.”

After the introduction of Chrome for Android, Google stopped shipping the AOSP browser with Android. However, Android versions prior to 4.4 (KitKat), which have the vulnerable application installed by default, represent 75% of the Android ecosystem.

Baloch said he had notified Google of the existence of the flaw “way before” he published his blog post. Initially, Google’s security team could not reproduce the issue, but they later confirmed it and claimed to be “working internally on a suitable fix.”

In the meantime, Rapid7 has developed a Metasploit module that exploits the vulnerability. Researchers have also promised to publish a video demonstrating an attack.

Advertisement. Scroll to continue reading.

“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is,” Beardsley explained.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.