Google reportedly addressed the issue, but many users likely await the fix from providers or OEMs.
Google reportedly addressed the issue, but many users likely await the fix from providers or OEMs.

Researchers are warning Android users of a major vulnerability that impacts a vital browser security mechanism called Same-Origin Policy (SOP).

The bug – called a “privacy disaster” by Tod Beardsley, an engineering manager at Rapid7 who blogged about the issue Monday – is serious because SOP, “the cornerstone of web privacy,” can be bypassed via exploitation, he explained.

While Google has patched the issue, Beardsley told SCMagazine.com in a Tuesday interview, it could still take months for many users to get the update through their device manufacturers or service providers. The bug, CVE-2014-6041, could allow a saboteur to circumvent the Android Open Source Platform (AOSP) browser's Same-Origin Policy (SOP), a concern that impacts approximately 75 percent of Android users who run platforms older than version 4.4.

In addition to Android users with lower-end prepaid phones being vulnerable (where AOSP may be shipped as the default browser as opposed to Chrome, for instance), tech savvy users, who simply prefer the AOSP browser, could be targets for attackers, Beardsley said.

“The Android Open Source Platform browser generally has a reputation of working much faster,” Beardsley told SCMagazine.com. “People get it because it's a stripped-down browser. But I looked at about five or six Google results pages on how to get it on your phone, and none of them mention that it's no longer supported [by Google],” he said.

On Sept. 1, researcher Rafay Baloch initially disclosed the vulnerability  on his blog, providing a proof-of-concept exploit. Rapid7 also investigated the issue and soon joined the fray in warning users about the threat.

“By malforming a javascript: a URL handler with a prepended null byte, an attack can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control,” Beardsley wrote in his Monday blog post. “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page,” he explained.

When visiting an attacker's site with another application open, such as webmail, “the attacker could scrape [the victim's] email data and see what [their] browser sees,” Beardsley continued. “Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

On Tuesday, SCMagazine.com reached out to Google about the vulnerability, but did not immediately hear back from the company.

In his blog post, Beardsley said that he would post a video demonstration of the exploit later in the week. In the meantime, Rapid7 has published a Metasploit module which is available in all versions of Metasploit penetration testing software.