PhotoUp to half of all Android users might be at risk from a security flaw, first discovered at the end of August by software security researcher Rafay Baloch but only attracting widespread notice now.

This week, the IT security firm Rapid7 called the bug “a privacy disaster” and said that one of its researchers had developed a working exploit of the security flaw — meaning that the flaw could be used to steal data.

A Sept. 15 post on the Rapid7 security blog says that the vulnerability would allow a hacker to “load javascript into any arbitrary frame or window,” and that “By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control.”

The Same-Origin Policy in browsers is what usually prevents one website you visit from being able to access content from other sites; basically, it says that a given website can only see or control scripts originating from itself, and no other websites.

But Rapid7 says that the bug discovered in Android browsers would allow the controllers of one website you visit to see (or even control) what you're doing elsewhere on the web: “Any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attacker's site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

Flaw is widespread

Ars Technica estimates that roughly 40 to 50% of all Android users have the flawed browser on their devices, and that the “Android Browser is likely to be embedded in third-party products, too, and some Android users have even installed it on their Android 4.4 phones because for one reason or another they prefer it to Chrome.”

Sophos' NakedSecurity blog recommends that anyone with Browser installed on their Android device stop using it immediately. “You almost certainly can't uninstall it, because it's usually part of the operating system build itself, meaning it doesn't show up under 'Settings | Apps | Downloaded.' But if you tap on 'Browser' from the 'All apps' page, you should see a [Disable] button where you'd usually see [Uninstall].

Disabling the app will prevent you from using the flawed browser so long as it remains a security risk.

Share your Comments