Dangerous “Same Origin Policy” Bypass Flaw Found in Android Browser

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

The issue, which has been assigned the CVE identifier CVE-2014-6041, was first reported by Pakistan-based security researcher Rafay Baloch in late August. Baloch found that the Android Open Source Platform (AOSP) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass. He tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

After Baloch published a blog post describing the issue, researchers from security firm Rapid7 also conducted an analysis and determined that AOSP browsers shipped with versions of the operating system prior to Android 4.4 are affected.

The SOP is a security feature that’s designed to make it possible for pages from the same site to interact, while preventing unrelated websites from interfering with each other. By bypassing the SOP, an attacker can gain access to content from the websites opened by the victim. An attacker simply needs to set up a malicious website, which enables the harvest of data from the sites opened in different tabs. This can be done by “malforming a javascript: URL handler with a prepended null byte,” Rapid7 said.

“Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf,” Rapid7’s Tod Beardsley explained in a blog post. “This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.”

After the introduction of Chrome for Android, Google stopped shipping the AOSP browser with Android. However, Android versions prior to 4.4 (KitKat), which have the vulnerable application installed by default, represent 75% of the Android ecosystem.

Baloch said he had notified Google of the existence of the flaw “way before” he published his blog post. Initially, Google’s security team could not reproduce the issue, but they later confirmed it and claimed to be “working internally on a suitable fix.”

In the meantime, Rapid7 has developed a Metasploit module that exploits the vulnerability. Researchers have also promised to publish a video demonstrating an attack.

“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is,” Beardsley explained.