430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Android Same Origin Policy flaw affects more than 70% devices

A serious flaw vulnerability has been discovered in the default browser on a large number of Android devices that allows to bypass the Same Origin Policy. A critical flaw has been discovered in the Web browser installed by default on the majority of Android mobile devices, it has been estimated that nearly 70 percent of the […]

Android Same Origin Policy flaw affects more than 70% devices

A serious flaw vulnerability has been discovered in the default browser on a large number of Android devices that allows to bypass the Same Origin Policy.

A critical flaw has been discovered in the Web browser installed by default on the majority of Android mobile devices, it has been estimated that nearly 70 percent of the them is affected by the vulnerability that could be exploited by an attacker to hijack users’ open websites. A further element of concern is the availability of a specific Metasploit module which allows easily to exploit the vulnerability.

“The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick=”window.open(‘\u0000javascript: sequence.”states the description of the CVE-2014-6041 vulnerability.

The latest release, Android 4.4, is not affected by the flaw, but the new version of the popular mobile OS is installed only on 25 percent of the devices.

The vulnerability CVE-2014-6041 affects Android versions 4.2.1 and all older versions and was discovered for the first time early September by the independent security researcher Rafay Baloch. Baloch also discovered that the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass which allows one website to steal data from another.

“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.” “A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. ” said Baloch in a blog post.

Baloch confirmed that the Same Origin Policy (SOP) bypass works on a large number of devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

AOSP browser Same Origin Policy flaw 2

Due to  the huge impact of the flaw, the Android vulnerability has been dubbed “privacy disaster” by Tod Beardsley, which is one of the developers for the Metasploit team. Beardsley has anticipated that he will post a POC-video to demonstrate that the flaw is “sufficiently shocking.”

“By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 wrote in a blog post.

“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.”

Baloch reported the security issue to the Google security team, but when it came to reward for the bug discovered the company replied that was not able to reproduce the vulnerability.

“We are unable to reproduce this issue though. It’s possible that your OEM has modified the browser in a manner that has created this issue,” said Josh Armour of Android Security team.

Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.

Unfortunately the browser affected by the Same Origin Policy vulnerability cannot be uninstalled by the users, waiting for a fix Android users need to “Disable the browser” from the menù item Settings > Apps > All.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Same Origin Policy, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]