A Same Origin Policy (SOP) bypass vulnerability has been identified in the Android browser installed by default on versions of the operating system prior to 4.4, a researcher revealed on Thursday.
According to Pakistan-based independent security researcher Rafay Baloch, the vulnerability was fixed in the Google Chrome Webkit approximately 3 years ago, but it still plagues older Android browsers.
Under normal circumstances, the SOP security feature prevents websites from accessing data from other sites. However, by bypassing the SOP, a malicious website can collect browsing data from other sites visited by the victim.
The researcher has published a proof-of-concept that demonstrates the attack method. The attack was successfully reproduced on devices such as Samsung Galaxy S3, LG Nexus 4, and Sony Xperia.
Baloch notified Google on Sept. 25 and a fix was released on Sept. 30. The researcher told SecurityWeek that he is still waiting to hear back from Google regarding the versions in which the vulnerability was addressed. However, it appears that the fix is for Android 4.1 through 4.3 (Jelly Bean).
While Jelly Bean accounts for 75% of Android installations, according to Google’s own reports, roughly 20% of users still rely on Froyo, Gingerbread or Ice Cream Sandwich. The company replaced the Android browser with Chrome starting with version 4.4 (KitKat).
Baloch told SecurityWeek that in addition to the Android browser, this particular SOP bypass vulnerability affects several other Web browsers, including Maxthon, CM Browser and Safari Browser 5.0.
“In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or Firefox. I believe there are several other vulnerabilities that were addresses in Chrome Webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely,” the researcher wrote in a blog post.
This is the second Android browser SOP bypass vulnerability reported by Baloch in just over a month. The first issue he discovered (CVE-2014-6041), which Google has already patched and for which a Metasploit module was developed by Rapid7, was also analyzed by Trend Micro.
The security firm tested the top 100 Android applications from Google Play that contain the word “browser” in their name. Researchers found that 42 of them had been vulnerable, but warned that other apps are also at risk.