The researcher who originally discovered the same-origin policy bypass in the Android browser said he reported the vulnerability to Google some time ago, but that the company’s Android security team said it was unable to reproduce the issue.
Rafay Baloch said he first reported the vulnerability to Google on Aug. 13, informing the company’s Android security team that he had discovered a method that enabled him to read the content of a user’s browser tabs if the user visits a site he controls. Google security engineers didn’t reply for nearly two weeks, and when they did, the answer was that they couldn’t reproduce the problem.
Here’s how Baloch described the issue he found:
“A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser,” he wrote in a blog post.
Baloch said via email that after receiving the reply from Google, he wrote his blog post explaining the vulnerability. Shortly thereafter, Josh Armour from the Android security team sent another email saying that the company had in fact been able to verify the vulnerability after all.
“After continued testing we were able to reproduce this. We are now working internally on a suitable fix,” the email said.
The SOP bypass vulnerability that Baloch discovered is present in about 75 percent of Android devices in use right now and affects devices running pre-4.4 versions of Android. Later versions of the OS aren’t vulnerable, and the bug only affects the Android Open Source Platform browser and not Google Chrome on Android.
Yesterday, researchers at Rapid7 published a detailed analysis of the SOP bypass bug and said that a Metasploit module that exploits the flaw is now available.