A Same Origin Policy (SOP) bypass vulnerability has been identified in the Android browser installed by default on versions of the operating system prior to 4.4, a researcher revealed on Thursday.
According to Pakistan-based independent security researcher Rafay Baloch, the vulnerability was fixed in the Google Chrome Webkit approximately 3 years ago, but it still plagues older Android browsers.
Under normal circumstances, the SOP security feature prevents websites from accessing data from other sites. However, by bypassing the SOP, a malicious website can collect browsing data from other sites visited by the victim.
The researcher has published a proof-of-concept that demonstrates the attack method. The attack was successfully reproduced on devices such as Samsung Galaxy S3, LG Nexus 4, and Sony Xperia.
Baloch notified Google on Sept. 25 and a fix was released on Sept. 30. The researcher told SecurityWeek that he is still waiting to hear back from Google regarding the versions in which the vulnerability was addressed. However, it appears that the fix is for Android 4.1 through 4.3 (Jelly Bean).
While Jelly Bean accounts for 75% of Android installations, according to Google’s own reports, roughly 20% of users still rely on Froyo, Gingerbread or Ice Cream Sandwich. The company replaced the Android browser with Chrome starting with version 4.4 (KitKat).
Baloch told SecurityWeek that in addition to the Android browser, this particular SOP bypass vulnerability affects several other Web browsers, including Maxthon, CM Browser and Safari Browser 5.0.
“In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or Firefox. I believe there are several other vulnerabilities that were addresses in Chrome Webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely,” the researcher wrote in a blog post.
This is the second Android browser SOP bypass vulnerability reported by Baloch in just over a month. The first issue he discovered (CVE-2014-6041), which Google has already patched and for which a Metasploit module was developed by Rapid7, was also analyzed by Trend Micro.
The security firm tested the top 100 Android applications from Google Play that contain the word “browser” in their name. Researchers found that 42 of them had been vulnerable, but warned that other apps are also at risk.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
