Critical Android Browser bug threatens users’ privacy
Earlier this month, security researcher Rafay Baloch has released a proof-of-concept exploit that takes advantage of a vulnerability in an Android Browser’s security mechanism and could allow attackers to harvest confidential user data.
“By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control,” Tod Beardsley, a Rapid7 engineer, explained.
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”
“While the AOSP browser has ‘been killed off’ by Google, it is wildly popular, even on modern devices used by sophisticated users who prefer the stock browser over Google Chrome, Firefox, Dolphin, or other browsers,” Beardsley pointed out, adding also that nearly all of the lower-end prepaid phones from major manufacturers and carriers are still shipped with this unsupported browser and pre-4.4 builds of Android.
The Rapid7 team has released a Metasploit module for exploiting the flaw, and according to Baloch, Google has confirmed that they are working on a fix for Android versions prior to the latest (v4.4, i.e. KitKat).
The only question now is how exactly do they mean to push out this fix. As Peter Bright has noted, the AOSP Browser is generally updated only through operating system updates.
“Timely availability of Android updates remains a sticking point for the operating system, so even if Google develops a fix, it may well be unavailable to those who actually need it,” he pointed out.
At the moment, users can protect themselves by dropping the Android browser and start using an alternative one that is sure not to be based on the same code: Firefox, Opera and Chrome.