Android Same Origin Policy flaw affects more than 70% devices

Pierluigi Paganini September 17, 2014

A serious flaw vulnerability has been discovered in the default browser on a large number of Android devices that allows to bypass the Same Origin Policy.

A critical flaw has been discovered in the Web browser installed by default on the majority of Android mobile devices, it has been estimated that nearly 70 percent of the them is affected by the vulnerability that could be exploited by an attacker to hijack users’ open websites. A further element of concern is the availability of a specific Metasploit module which allows easily to exploit the vulnerability.

“The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick=”window.open(‘\u0000javascript: sequence.”states the description of the CVE-2014-6041 vulnerability.

The latest release, Android 4.4, is not affected by the flaw, but the new version of the popular mobile OS is installed only on 25 percent of the devices.

The vulnerability CVE-2014-6041 affects Android versions 4.2.1 and all older versions and was discovered for the first time early September by the independent security researcher Rafay Baloch. Baloch also discovered that the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass which allows one website to steal data from another.

“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.” “A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser. ” said Baloch in a blog post.

Baloch confirmed that the Same Origin Policy (SOP) bypass works on a large number of devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr.

AOSP browser Same Origin Policy flaw 2

Due to  the huge impact of the flaw, the Android vulnerability has been dubbed “privacy disaster” by Tod Beardsley, which is one of the developers for the Metasploit team. Beardsley has anticipated that he will post a POC-video to demonstrate that the flaw is “sufficiently shocking.”

“By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 wrote in a blog post.

“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.”

Baloch reported the security issue to the Google security team, but when it came to reward for the bug discovered the company replied that was not able to reproduce the vulnerability.

“We are unable to reproduce this issue though. It’s possible that your OEM has modified the browser in a manner that has created this issue,” said Josh Armour of Android Security team.

Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.

Unfortunately the browser affected by the Same Origin Policy vulnerability cannot be uninstalled by the users, waiting for a fix Android users need to “Disable the browser” from the menù item Settings > Apps > All.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Same Origin Policy, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment