Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Dangerous “Same Origin Policy” Bypass Flaw Found in Android Browser

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

A serious vulnerability has been discovered in the Web browser installed by default on a large number of Android devices, researchers have warned.

The issue, which has been assigned the CVE identifier CVE-2014-6041, was first reported by Pakistan-based security researcher Rafay Baloch in late August. Baloch found that the Android Open Source Platform (AOSP) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass. He tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

After Baloch published a blog post describing the issue, researchers from security firm Rapid7 also conducted an analysis and determined that AOSP browsers shipped with versions of the operating system prior to Android 4.4 are affected.

The SOP is a security feature that’s designed to make it possible for pages from the same site to interact, while preventing unrelated websites from interfering with each other. By bypassing the SOP, an attacker can gain access to content from the websites opened by the victim. An attacker simply needs to set up a malicious website, which enables the harvest of data from the sites opened in different tabs. This can be done by “malforming a javascript: URL handler with a prepended null byte,” Rapid7 said.

“Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf,” Rapid7’s Tod Beardsley explained in a blog post. “This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.”

After the introduction of Chrome for Android, Google stopped shipping the AOSP browser with Android. However, Android versions prior to 4.4 (KitKat), which have the vulnerable application installed by default, represent 75% of the Android ecosystem.

Baloch said he had notified Google of the existence of the flaw “way before” he published his blog post. Initially, Google’s security team could not reproduce the issue, but they later confirmed it and claimed to be “working internally on a suitable fix.”

In the meantime, Rapid7 has developed a Metasploit module that exploits the vulnerability. Researchers have also promised to publish a video demonstrating an attack.

Advertisement. Scroll to continue reading.

“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is,” Beardsley explained.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.