Hackers target Facebook users exploiting Same Origin Policy vulnerability

Pierluigi Paganini December 30, 2014

Security Experts at Trend Micro discovered a series of hacking attacks targeting Facebook users and exploiting the Same Origin Policy vulnerability.

A serious security vulnerability affects the default web browser of the Android OS lower than 4.4, according the data provided by Google official dashboard nearly the 66% of Android devices is impacted. The security flaw allows an attacker to bypass the Same Origin Policy (SOP).

Android Same Origin Policy flaw

The Android Same Origin Policy (SOP) vulnerability (CVE-2014-6041) was first disclosed in September 2014 by the security expert Rafay Baloch, which noticed that the AOSP (Android Open Source Platform) browser installed on Android 4.2.1 was vulnerable to Same Origin Policy (SOP) vulnerability that allows one website to steal data from another.

“The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick=”window.open(‘\u0000javascript: sequence.”states the description of the CVE-2014-6041 vulnerability.

According to security experts at Trend Micro and Facebook, many users of the popular social network have been targeted by cyber attacks that attempt to exploit the Same Origin Policy (SOP) vulnerability. The attackers used a Metasploit exploit code publicly available to run the attack in an easy and automated way.

“A few months back, we discussed the Android Same Origin Policy (SOP) vulnerability, which we later found to have a wider reach than first thought. Now, under the collaboration of Trend Micro and Facebook, attacks are found which actively attempt to exploit this particular vulnerability, whose code we believe was based in publicly available Metasploit code.” states a blog post published by TrendMicro.

Due to  the huge impact of the Same Origin Policy (SOP) vulnerability, the expert Tod Beardsley has dubbed it “privacy disaster”. Beardsley is one of the developers for the Metasploit team and provided a POC-video to demonstrate that the flaw is “sufficiently shocking.”

“By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 wrote in a blog post. “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf. This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.”

The Same Origin Policy is a fundamental in the web application security model implemented to protect users’ browsing experience.

” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.

According Trend Micro the attackers served a link through a particular Facebook page that redirect Facebook users to a malicious website.

“This attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. This page contains obfuscated JavaScript code , which includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag, while the inner frame has a size of one pixel.” continues the post.

Android Same Origin Policy flaw Facebook post

The JavaScript code could be exploited by an attacker to perform various activities on the victim’s Facebook account, including:

  • Adding Friends
  • Like and Follow any Facebook page
  • Modify Subscriptions
  • Authorize Facebook apps to access the user’s public profile, friends list, birthday information, likes.
  • To steal the victim’s access tokens and upload them to their server.
  • Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service.

The experts noticed that criminals behind these attacks rely on an official BlackBerry app maintained by BlackBerry in order to steal the access tokens used to hack the Facebook accounts.

“The mobile malware using the Android SOP Exploit (Android Same Origin Policy Bypass Exploit) is designed to target Facebook users regardless of their mobile device platform,” Blackberry told Trend Micro in a statement. “However, it attempts to take advantage of the trusted BlackBerry brand name by using our Facebook web app. BlackBerry is continuously working with Trend Micro and Facebook to detect and mitigate this attack. Note that the issue is not a result of an exploit to Blackberry’s hardware, software, or network.”

To fix the Same Origin Policy Vulnerability it is necessary to apply a patch already available and issued by Google in September. Unfortunately, millions of Android devices are still vulnerable because the manufacturers no longer push the update to its customers. In order to protect yourself, Disable the BROWSER from your Android devices by going to Settings > Apps > All and looking for its icon.

Pierluigi Paganini

(Security Affairs –  Same Origin Policy Vulnerability, Android)

you might also like

leave a comment