The browser app pre-installed on Android devices is affected by a critical flaw, tracked as CVE-2017-17692, that could be exploited by an attacker to steal data from browser tabs if the user visits an attacker-controlled site.
A SOP bypass occurs when a sitea.com is somehow able to access the properties of siteb.com such as cookies, location, response etc.
An attacker can copy victim’s session cookie or hijack his session and read and write webmail on your behalf.
Mishra developed a Metasploit Module for the exploitation of the SOP bypass issue and reported the flaw to the MITRE to assign CVE.
Mishra also reported the flaw to Samsung, who acknowledged it and confirmed that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.“
The experts from Rapid7 have also published a video PoC of the attack.
The availability online of the Metasploit exploit code pose a serious risk to Android users that are still using the old Android Stock browser.
(Security Affairs – SOP bypass issue, Android)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.