A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users’ open websites.The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch.
The Android bug has been called a “privacy disaster” by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is “sufficiently shocking.”
By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 said in a blog post.
“What this means is any arbitrary website – say, one controlled by a spammer or a spy – can peek into the contents of any other web page,” Beardsley said. “[If] you went to an attackers site while you had your webmail open in another window, the attacker could scrape your email data and see what your browser sees.”
“Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
Baloch also found the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass that allows one website to steal data from another. He then tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr and found that it works on all.
But, anyone running the latest release, Android 4.4, is not affected, which means that as many as 75 per cent of Android devices and millions of Android users are vulnerable to the attack, according to Google’s own statistics.
“Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.”
In order to protect yourself, just Disable the BROWSER from your Android devices by going to Settings > Apps > All and looking for its icon. By opening it, you’ll find a DISABLE button, Select it and disable the Browser.
