Serious browser vulnerability affects majority of Android users

CVE-2014-6041, a “serious” Android browser vulnerability that was disclosed by Rafay Baloch earlier this month on his blog, is likely to affect three quarters of Android users globally, according to a recent analysis by Rapid7.

The analysis outlines how the bug works as a URL handler with a prepended null byte, referred to as malforming a javascript, in which an attacker can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control.

Once beyond these security blocks “any arbitrary website” can access the contents of any other open web page on the device. This becomes a critical risk when a user accesses a site controlled by a malicious spammer or a spy. Should webmail be open in another window, the analysis give as an example, “the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”

Though the vulnerability was disclosed by Baloch on on 1st September, there has been no acknowledgement of the bug from Google. According to Rapid7's investigation there is no listing of this bug on CVEDetail's readout of Android issues, and no apparent chatter about this bug in the Android security community.