BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Widespread Android Vulnerability 'A Privacy Disaster', Claim Researchers

Following
This article is more than 9 years old.

Right at the start of September, security researcher Rafay Baloch released details on an Android bug that has now been called a “privacy disaster”.

That apparently hyperbolic statement doesn’t look too far wide of the mark, given anyone not running the latest release, Android 4.4, is affected. That means as many as 75 per cent of Android devices and millions of users could be open to attack, according to Google's own stats, though not all are likely to be using the affected Android Open Source Platform (AOSP) Browser.

The nature of the bug has worried onlookers too. The flaw could allow a bypass of the Same Origin Policy (SOP) protection used by most modern browsers. Crucially, the SOP protection stops malicious code from spilling over from one site to others open on separate tabs.

An attacker wanting to exploit this flaw would convince a user to visit their specially-crafted website, which would run JavaScript code that prepended a URL handler (which points the browser to executable code) with a null byte as here "u0000javascript:<evil stuff>", Rapid7’s Tod Beardsley explained over email. This would then allow the hacker to inject whatever JavaScript they wanted across other sites.

From this point on, the attacker can cause untold trouble for the victim. “Normally, I can't just choose to run JavaScript in whatever domain context I want. If I can do that, I can do all sorts of things - scrape web pages, read password fields, hijack a session,” added Beardsley.

“The SOP controls in a browser are what prevents this, so by evading the SOP controls, I can inject code from an origin (my attack website) that's not where a page came from (your Twitter login page).”

Baloch managed to exploit a Samsung Galaxy S3, the Motrorolla Razr, the  Sony Xperia Tipo, the  HTC Evo 3D and the Wildfire.

Professor Alan Woodward , security expert from the University of Surrey’s computing department, said it was “a really nasty bug”. “The mere fact that it potentially gives access to private data is a huge problem, after all it's that data can then be used to commit further crimes against you,” he added.

“The problem is compounded because mobile operating systems tend not to be updated in the same way as other computing platforms. It's not as bad as industrial control systems, but almost.”

Google said it had nothing to say on the matter as it didn't comment on "rumor and speculation". Its reticence on the issue has caused concern amongst security types, but the tech titan might feel compelled to act now the exploit code has been uploaded to Metasploit, the tool used by ethical and not-so-ethical hackers to breach systems.

UPDATE: Google told me it has released patches for AOSP, which users can review here and here. But the tech titan has irked the researcher who initially found the bug, Rafay Baloch, who sent through emails he claimed were between him and the Google security team.

The messages indicated Baloch disclosed the bug in mid-August. Google responded saying their security team couldn't reproduce the exploit. But after Baloch posted the blog on his own site, Google came back to him to say they could in fact reproduce it, according to the emails.

Baloch didn't get any credit, however. If the emails are genuine, Google told him that he didn't qualify for a reward or recognition as the blog was published before the company had a chance to provide patches.

In the final email to Google, Baloch signed off with the following riposte: "The mistake is from your side, not being able to properly communicate with researchers." Google said it didn't have any comment on the matter.