Flaw in Android Browser Allows Same Origin Policy Bypass

There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.

The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.

“By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 said in an explanation of the flaw.

 “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

The bug applies to the Android Open Source Platform browser, an older browser that Google no longer supports.

The bug applies to the Android Open Source Platform browser, an older browser that Google no longer supports. Google has replaced the AOSP browser with Chrome, but the browser still runs on many older devices and there are ways to install it on newer devices, as well. Beardsley said it’s unclear exactly when Google fixed the SOP bypass vulnerability and why it hasn’t been discussed publicly.

“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today,” he said.

“More importantly, 4.2 (Jellybean) and prior phones account for nearly 100% of off-the-shelf, lower-end prepaid phones from major manufacturers and carriers. They still ship the unsupported AOSP browser. These are the kinds of phones that account for a huge chunk of total market share, and yet are still vulnerable to this bug and the WebView addJavascriptInterface vulnerability.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Rafay Baloch on

    I tried reporting this issue to google way before i blogged about it, they were unable to reproduce it despite of all my efforts and closed the issue, And when i released the blogpost. They replied with the following: "Rafay, After continued testing we were able to reproduce this. We are now working internally on a suitable fix. -- Josh Armour -- Android Security"
  • a8 on

    that was scary fast, does Google subscribe to your blog? lol.
  • Greggr on

    Are there any suggestions for people with older machines? I disabled the old browser on our sony tablet s and deleted the cache and data from it. Chrome was installed and seems to run quicker now that i killed the old browser and disabled it. It's a shame that there are no updates for older android boxes.
  • AndroidLeak on

    Hi, I just made a simple website for testing your Android browser. It will just tell you if your browser is affected by this bug or not. I believe it's a useful tool that will convince people to update their stock browsers. See http://www.androidleak.tk

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.