An exploit of an unsupported Android browser bypasses the ever-important Same Origin Policy.
A vulnerability in the Android Open Source Platform (AOSP) is a "privacy disaster" that affects about 75 percent of the overall "Android ecosystem" and about 100 percent of the low-end prepaid phones, according to researchers at Rapid7's Metasploit research team.
The vulnerability -- CVE-2014-6041, disclosed by Rafay Baloch -- bypasses the AOSP browser's Same Origin Policy. Yesterday, Tod Beardsley, technical lead for the Metasploit framework, wrote:
What this [vulnerability] means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attacker's site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security.
Not long ago, browser SOP bypasses were a common Web attack tactic, but most browser developers have made a point of eliminating such vulnerabilities.
Exploit modules for this vulnerability are now available for all versions of Metasploit.
The AOSP browser is no longer supported by Google, but is nevertheless "widely popular" and frequently re-installed by users who prefer it to other browsers, says Beardsley.
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024