Android browser flaw found to leak data

The vulnerability enables a hacker to run JavaScript from a website to steal data from web pages open in other browser tabs

android browser
CSO Staff

A security researcher has found another flaw in the Android browser that a cybercriminal could use to steal sensitive data.

The latest same-origin policy (SOP) bypass vulnerability is the second discovered by researcher Rafay Baloch, who discovered the first, CVE-2014-6041, last month.

The vulnerability is in how Javascript is handled by the Android function responsible for loading frame URLs. The SOP is supposed to prevent JavaScript from one Web page accessing content from another page.

However, the flaw enables that barrier to be bypassed, so an attacker can read the content of browser tabs, when the user visits a page controlled by the attacker.

Baloch has created a proof-of-concept exploit.

"The POC is very easy to understand for individuals having some JavaScript background," Baloch said in his blog.

Google no longer supports the Android browser, which it has replaced with Chrome in Android 4.4. However, the company told ThreatPost, the Kaspersky Lab blog, that a patch was released for Android 4.1-4.3. Users of older versions are apparently out of luck.

Google did not respond to a request for comment.

The vulnerability is a "major issue," Ted Eull, vice president of mobile services for security vendor viaForensics, said.

"Because the browser was included by default on many devices pre-KitKat (version 4.4), there are potentially hundreds of thousands of affected users," he said.

Phones that are likely vulnerable include the Samsung Galaxy S3, the Samsung Galaxy Note 2, the LG Optimus G, the LG G2 and the Motorola Droid RAZR, Eull said.

ViaForensics is advising customers to download either Chrome or Firefox from the Google Play store and use it as the default browser. People should uninstall the Android browser, if their device lets them.

While Chrome and Firefox sometimes have their own vulnerabilities, "they are very actively updated and generally patched quickly when security issues are discovered," Eull said.

Security experts have criticized wireless carriers for failing to work with device manufacturers in pushing out Android updates and patches quickly in order to protect customers.

But in the last couple of years, there has been a significant improvement, Jeremy Linden, senior security product manager at Lookout, said. People with popular phones from major manufacturers, such as Samsung and Motorola, are getting updates regularly.

However, people with older, less popular phones are unlikely to receive updates and will have to upgrade, if they are worried about security, experts say.

"It's not ideal," Bob O'Donnell, analyst for TECHnalysis, said of the current situation.

AT&T did not respond to a request for comment. Verizon Wireless pointed out that it has a website where customers can go to check whether updates are available for their phone.

"We regularly deliver software updates after thorough testing to ensure customers have a great experience," Debra Lewis, spokeswoman for the company said.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)