Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.
The guys over at Metasploit are calling it a “Privacy Disaster,”
Web security depends very heavily on a principle known as the Same Origin Policy.
Anyway, Rafay Baloch found a way of sucking in content from another site into an IFRAME, and then reading Document Object Model (DOM) data from that IFRAME using some JavaScript trickery outside the IFRAME.
The good news is that the Android Browser app, known simply as Browser, has been discontinued by Google.
You can still get hold of it and install it if you want, but Android 4.4 (KitKat) doesn’t have it by default.
The bad news is that older versions of Android (apparently, anything before 4.4) do come with Browser.
And, because Browser it isn’t being developed any more, this bug might well be there to stay, unless your phone vendor decides to offer a firmware update to replace it.
What to do?
Stop using Browser if you have it installed.
You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under Settings | Apps | Downloaded.
But if you tap on Browser from the All apps page, you should see a [Disable] button
This will let you disarm the danger by preventing you from using the risky Browser app again.
a decent Mobile Device Management (MDM) product should help to defuse the risk by inhibiting the Browser app remotely
You’ll need to provide your users with another browser in its place, of course, but your MDM software should make that pretty easy, too.
Well-known replacement browsers include Firefox, Chrome and Dolphin.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
1 Comment
Tomi Engdahl says:
“Shocking” Android browser bug could be a “privacy disaster”: here’s how to fix it
http://nakedsecurity.sophos.com/2014/09/16/shocking-android-browser-bug-could-be-a-privacy-disaster-heres-how-to-fix-it/
Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.
The guys over at Metasploit are calling it a “Privacy Disaster,”
Web security depends very heavily on a principle known as the Same Origin Policy.
Anyway, Rafay Baloch found a way of sucking in content from another site into an IFRAME, and then reading Document Object Model (DOM) data from that IFRAME using some JavaScript trickery outside the IFRAME.
The good news is that the Android Browser app, known simply as Browser, has been discontinued by Google.
You can still get hold of it and install it if you want, but Android 4.4 (KitKat) doesn’t have it by default.
The bad news is that older versions of Android (apparently, anything before 4.4) do come with Browser.
And, because Browser it isn’t being developed any more, this bug might well be there to stay, unless your phone vendor decides to offer a firmware update to replace it.
What to do?
Stop using Browser if you have it installed.
You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under Settings | Apps | Downloaded.
But if you tap on Browser from the All apps page, you should see a [Disable] button
This will let you disarm the danger by preventing you from using the risky Browser app again.
a decent Mobile Device Management (MDM) product should help to defuse the risk by inhibiting the Browser app remotely
You’ll need to provide your users with another browser in its place, of course, but your MDM software should make that pretty easy, too.
Well-known replacement browsers include Firefox, Chrome and Dolphin.