A critical flaw has been discovered in the Web browser installed by default on the majority of Android mobile devices, it has been estimated that nearly 70 percent of the them is affected by the vulnerability that could be exploited by an attacker to hijack users’ open websites. A further element of concern is the availability of a specific Metasploit module which allows easily to exploit the vulnerability.
The latest release, Android 4.4, is not affected by the flaw, but the new version of the popular mobile OS is installed only on 25 percent of the devices.
The vulnerability CVE-2014-6041 affects Android versions 4.2.1 and all older versions and was discovered for the first time early September by the independent security researcher Rafay Baloch. Baloch also discovered that the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass which allows one website to steal data from another.
Baloch confirmed that the Same Origin Policy (SOP) bypass works on a large number of devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.
Due to the huge impact of the flaw, the Android vulnerability has been dubbed “privacy disaster” by Tod Beardsley, which is one of the developers for the Metasploit team. Beardsley has anticipated that he will post a POC-video to demonstrate that the flaw is “sufficiently shocking.”
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.”
Baloch reported the security issue to the Google security team, but when it came to reward for the bug discovered the company replied that was not able to reproduce the vulnerability.
“We are unable to reproduce this issue though. It’s possible that your OEM has modified the browser in a manner that has created this issue,” said Josh Armour of Android Security team.
“Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.”
Unfortunately the browser affected by the Same Origin Policy vulnerability cannot be uninstalled by the users, waiting for a fix Android users need to “Disable the browser” from the menù item Settings > Apps > All.
(Security Affairs – Same Origin Policy, Android)