Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Patches Second “Same Origin Policy” Bypass Flaw in Android Browser

A Same Origin Policy (SOP) bypass vulnerability has been identified in the Android browser installed by default on versions of the operating system prior to 4.4, a researcher revealed on Thursday.

A Same Origin Policy (SOP) bypass vulnerability has been identified in the Android browser installed by default on versions of the operating system prior to 4.4, a researcher revealed on Thursday.

According to Pakistan-based independent security researcher Rafay Baloch, the vulnerability was fixed in the Google Chrome Webkit approximately 3 years ago, but it still plagues older Android browsers.

Under normal circumstances, the SOP security feature prevents websites from accessing data from other sites. However, by bypassing the SOP, a malicious website can collect browsing data from other sites visited by the victim.

The researcher has published a proof-of-concept that demonstrates the attack method. The attack was successfully reproduced on devices such as Samsung Galaxy S3, LG Nexus 4, and Sony Xperia.

Baloch notified Google on Sept. 25 and a fix was released on Sept. 30. The researcher told SecurityWeek that he is still waiting to hear back from Google regarding the versions in which the vulnerability was addressed. However, it appears that the fix is for Android 4.1 through 4.3 (Jelly Bean).

While Jelly Bean accounts for 75% of Android installations, according to Google’s own reports, roughly 20% of users still rely on Froyo, Gingerbread or Ice Cream Sandwich. The company replaced the Android browser with Chrome starting with version 4.4 (KitKat).

Baloch told SecurityWeek that in addition to the Android browser, this particular SOP bypass vulnerability affects several other Web browsers, including Maxthon, CM Browser and Safari Browser 5.0.

“In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or Firefox. I believe there are several other vulnerabilities that were addresses in Chrome Webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely,” the researcher wrote in a blog post.

This is the second Android browser SOP bypass vulnerability reported by Baloch in just over a month. The first issue he discovered (CVE-2014-6041), which Google has already patched and for which a Metasploit module was developed by Rapid7, was also analyzed by Trend Micro.

The security firm tested the top 100 Android applications from Google Play that contain the word “browser” in their name. Researchers found that 42 of them had been vulnerable, but warned that other apps are also at risk.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.