There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.
The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”
The bug applies to the Android Open Source Platform browser, an older browser that Google no longer supports. Google has replaced the AOSP browser with Chrome, but the browser still runs on many older devices and there are ways to install it on newer devices, as well. Beardsley said it’s unclear exactly when Google fixed the SOP bypass vulnerability and why it hasn’t been discussed publicly.
“Research and testing is still ongoing to plumb the depths of this issue. We’d like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today,” he said.