There’s an easily exploitable vulnerability in the Android stock browser that enables an attacker to spoof the URL in the address bar and force a victim to visit a malicious site while believing he is visiting a benign one.
Security researcher Rafay Baloch discovered the vulnerability and developed the technique for exploiting it. The problem lies in the fact that the Android stock browser handles 204 errors incorrectly.
“The issue is caused due to the fact that the browser fails to handle 204 error ‘No Content’ responses when combined with window.open event and therefore allowing us to spoof the address bar,” Baloch said in a post explaining the bug.
The vulnerability is present in the Android stock browser on both Kitkat and Lollipop, the two most recent versions of Android. However, Baloch said that the bug does not affect Chrome on Android. Baloch also said that it would be quite unlikely that a victim would notice an attack on the bug while it was in progress.
“Since Address bar is the only reliable security indicator in modern browsers as per Google security team, it would be highly unlikely that the victim would realize if he is being tricked to log into a spoofed page, also since it affects all android versions, it should be a big concern for carrier’s and they should push updates asap,” Baloch said by email.
Google has committed patches for Kitkat and Lollipop, but because the carriers control the distribution channel for Android updates, there’s no telling when or if various user bases will get access to the fix. Researchers recommend that users avoid using the Android stock browser for sensitive operations in the interim.
“In the event that patches are unavailable for a particular handset or carrier, users are advised to avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available,” said Tod Beardsley, engineering manager at Rapid7, who helped coordinate the bug disclosure with Google and Baloch.