An exploit of an unsupported Android browser bypasses the ever-important Same Origin Policy.
A vulnerability in the Android Open Source Platform (AOSP) is a "privacy disaster" that affects about 75 percent of the overall "Android ecosystem" and about 100 percent of the low-end prepaid phones, according to researchers at Rapid7's Metasploit research team.
The vulnerability -- CVE-2014-6041, disclosed by Rafay Baloch -- bypasses the AOSP browser's Same Origin Policy. Yesterday, Tod Beardsley, technical lead for the Metasploit framework, wrote:
What this [vulnerability] means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attacker's site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.
Not long ago, browser SOP bypasses were a common Web attack tactic, but most browser developers have made a point of eliminating such vulnerabilities.
Exploit modules for this vulnerability are now available for all versions of Metasploit.
The AOSP browser is no longer supported by Google, but is nevertheless "widely popular" and frequently re-installed by users who prefer it to other browsers, says Beardsley.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024