An Android stock browser vulnerability uncovered in February could allow cyber criminals to “spoof” address bars and potentially carry out phishing schemes.
The glitch, discovered by security consultant Rafay Baloch, affects all Android versions.
The issue occurs because the browser fails to handle the 204 error “No Content” response when combined with window.open event. That enables an attacker to manipulate the address bar and potentially trick victims into providing sensitive information, according to Baloch’s blog.
Last month, Android committed patches to the KitKat (4.4.x) and Lollipop (5.0.x) main distributions. Users are encouraged to contact their carriers to determine if they have received the updated versions. If a patch is unavailable, users are advised to not use their device for authentication purposes.
Researcher Joe Vennix helped write the proof of concept, and Rapid7 assisted with disclosing the vulnerability.