There is another same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that allows an attacker to steal data from a user’s browser. Google has fixed the vulnerability in some versions of Android, but millions of users of older versions are still affected. The vulnerability lies in the way that the Android function that’s responsible for loading frame URLs handles Javascript. Security researcher Rafay Baloch discovered the vulnerability and developed a proof-of-concept exploit that allows him to steal data from a user’s browser. Baloch said the vulnerability has been fixed for some time in Google Chrome, but had still existed in the Android browser until he disclosed it to Google late last month.
“The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case “http://www.bing.com”, however once it’s loaded, we replace bing.com with “javascript:alert(document.domain)”. The interesting thing here is that the last line is essential for the POC to work object.innerHTML = “foobar”; so that the navigation request is performed,” Baloch said in a post about the vulnerability.
Baloch said via email that although Google has issued a patch for the vulnerability, it’s not exactly clear which versions it protects. The email from Google’s security team said that the fix was applied for Jelly Bean users, which means users of Android 4.1-4.3. So there’s no fix for downstream users, apparently.
The Android browser was the default installed browser on Android devices for a time, but Google has stopped supporting it. Chrome is now the preferred browser on Android devices.
Baloch, who discovered a separate SOP bypass flaw in the Android browser earlier this year, said that there are several other browsers that contain the newer SOP bypass flaw, including Safari 5.0.
“There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely,” he said.
