Security researchers are warning that a previously discovered exploit targeting an Android vulnerability could be a “privacy disaster” for 75% of smartphones running the Goole OS.
The vulnerability in question, CVE-2014-6041, was first discovered on September 1 by Rafay Baloch and affects Android 4.4 and earlier versions, according to Todd Beardsley, a developer for pen testing tool Metasploit.
“By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control,” he wrote in a blog post.
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.”
Effectively, if a user visited an attacker’s site but accidentally left open their email client in another window, for example, the attacker could then lift that email data and even hijack the session completely, reading and writing email on the user’s behalf, he explained.
“This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security,” Beardsley claimed.
Despite being announced over a fortnight ago there seems to be little discussion of the vulnerability on Android security forums and no acknowledgement by Google, despite pre-4.4 handsets accounting for around 75% of all Android smartphones today.
“More importantly, 4.2 (Jellybean) and prior phones account for nearly 100% of off-the-shelf, lower-end prepaid phones from major manufacturers and carriers,” he continued.
“They still ship the unsupported AOSP browser. These are the kinds of phones that account for a huge chunk of total market share, and yet are still vulnerable to this bug and the WebView addJavascriptInterface vulnerability.”
AOSP has been “killed off” by Google, although many Android users still favor it over Dolphin, Chrome, Firefox and others, according to Beardsley.
The researcher is hoping that a new Metasploit module exploiting the vulnerability will help galvanize the security community into action.