Android browser found to have big security flaw
A significant security issue has been found in the Android browser, posing a risk to users’ privacy
A huge security flaw has reportedly been found in Android's browser, and as many as half of users could be at risk, reports ConsumerAffairs.
The problem has apparently been around since last month, but was more recently written about by IT security firm Rapid7 in a blog post. Dubbing it a "privacy disaster," the firm claimed that one of its researchers has been able to exploit the flaw, and that it puts users at serious risk of having their data stolen.
Earlier in September, Rapid7's Joe Vennix said: "I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window [...]"
This "arbitrary website" could be one controlled by a spammer or hacker, according to the blog post, and would allow outside eyes to view the page a user is currently browsing. It could also allow the same attacker to copy session cookies or even interact with something like webmail.
Browsers ordinarily have the Same-Origin Policy that keeps websites from being able to see and interact with content on another site, but a bug in Android browsers will instead leave users vulnerable to attack.
"Any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page," the blog post continues.
"Imagine you went to an attacker's site while you had your webmail open in another window the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
A report on the issue from Ars Technica estimated that around half of Android users could potentially be affected by the problem, saying:
"Android Browser is likely to be embedded in third-party products, too, and some Android users have even installed it on their Android 4.4 phones because for one reason or another they prefer it to Chrome."
Caroline has been writing about technology for more than a decade, switching between consumer smart home news and reviews and in-depth B2B industry coverage. In addition to her work for IT Pro and Cloud Pro, she has contributed to a number of titles including Expert Reviews, TechRadar, The Week and many more. She is currently the smart home editor across Future Publishing's homes titles.
You can get in touch with Caroline via email at caroline.preece@futurenet.com.