Android Browser Bug Allows Same Origin Policy Bypass

The AOSP browser in pre-4.4 Android devices contains a vulnerability that allows hackers to see the contents of other web pages that are open during a browser session. This vulnerability affects a huge number of Android devices in use right now, and there is even a Metasploit module to exploit it.

“This is a privacy disaster.”
Tod Beardsley, Metasploit

Pre-4.4 builds of Android account for almost 75% of total Android devices in use today according to Google’s own statistics. However, what is even more concerning is that pre-4.2 (Jellybean) phones account for almost all of the off-the-shelf, lower-end prepaid Android phones sold by major manufacturers and carriers. All of these pre-4.2 phones ship with the AOSP browser that contains the vulnerability.

Though the AOSP browser is not included in post-4.4 Android phones, many users prefer it and still install it on their newer devices.

Background

The vulnerability was first disclosed on September 1 by security researcher Rafay Baloch.

On September 7, a member of Rapid7’s team provided a Metasploit module to exploit the vulnerability. The module is now available in all versions of Metasploit.

Rafay Baloch claims that he notified Google of the bug mid-August but that Google responded saying their security team couldn’t reproduce the exploit. Google has since release patches for AOSP which Android users can download here and here.

How Does the Vulnerability Work?

This vulnerability is a Same Origin Policy (SOP) bypass. The SOP is designed to allow pages from the same site to interact while also preventing the javascript from one website from being able to access information from another website. By bypassing the SOP, an attacker can get content from other websites opened in the same browser session.

Tod Beardsley at Metasploit explains why this is such a huge problem: “…any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

What Do I Do?

Stop using the AOSP browser if you are using it. If you are using a pre-4.4 Android device you may not be able to uninstall it, but simply not using the browser will protect you from the vulnerability. You can also disable the browser application to prevent accidentally using it.