Professional penetration tester and author of the book ‘Ethical Hacking and Penetration Testing Guide’, Rafay Baloch identified a major vulnerability in the Android Open Source Platform (AOSP) Browser and reported it to Google on August 13.
The 21-year-old also shared a proof of concept (PoC) for the security bug – which he defined as a Same Origin Policy (SOP) bypass – with the company but the California-based internet giant could not reproduce it for over two weeks, according to his email correspondence with the Android security team.
It was only after August 31, when the young techie released this information on his blog that Android was able to reproduce the bug and released patches for the AOSP Browser. The issue, however, was already picked up by the world’s major technology blogs and publications before the company could fix it.
“Right at the start of September, security researcher Rafay Baloch released details on an Android bug that has now been called a ‘privacy disaster’,” www.forbes.com said in a September 16 report.
The report added that anyone not running the latest release, Android 4.4, is affected. “That means as many as 75% of Android devices and millions of users could be open to attack,” it said quoting Google’s stats; though not all are likely to be using the affected browser, the report said.
The flaw can allow a bypass of the Same Origin Policy (SOP) protection, which is implemented in most browsers, such as Internet Explorer, Mozilla Firefox and Google Chrome, Baloch told The Express Tribune.
The SOP “stops malicious code from spilling over from one site to others open on separate tabs,” the Forbes report said.
“It was a really nasty bug. The mere fact that it potentially gives access to private data is a huge problem, after all it’s that data can then be used to commit further crimes against you,” it quoted Professor Alan Woodward, a security expert from the University of Surrey’s computing department, as saying.
This is not the first time Baloch has reported a major security flaw in a global technology company’s software. He has been participating in various bug bounty programmes to help several major internet corporations improve their internet security.
For example, he was rewarded with $10,000 in cash and a job offer from PayPal for finding remote code execution vulnerability along with several other high-risk vulnerabilities inside the online money transfer service.
While Baloch’s research led to the fixing of the AOSP Browser bug, the internet giant disqualified him for any reward or credit for his contribution.
“Android does not currently have a vulnerability rewards programme. Android is covered in the Patch Rewards Programme though,” Josh Armour from Android Security told Baloch, according to the email correspondence between the two. “Given that this [the bug] was published before we had a chance to provide patches, this specific report would not qualify,” Armour wrote to Baloch.
Disappointed with Google’s response, the researcher said he disclosed the bug more than two weeks prior to publishing the same so it was “Google’s fault for not being able to reproduce it.”
“It was a serious security threat and should have been fixed immediately,” he said. “Yes, I can fix this quickly,” the white hat hacker said in response to a question.
The Express Tribune contacted Badar Khushnood, Google’s Country Consultant for Pakistan, but did not receive any response till the filing of this report.
Published in The Express Tribune, September 20th, 2014.
COMMENTS (10)
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ
People who aren't sure if their password is secure should use PasswordTurtle.com! PasswordTurtle makes passwords from normal english phrases so the passwords are easy to remember and secure. I use them whenever I make a new online account.
@Md Imran: TCP/IP based ARPANET was established way back in 1969.
Google should not downplay the bug report.
I;ve been saying this for a long time..we Pakistanis if we can put our brains together, we will inshallah be a superpower in 5 yrs. Where would UK's NHS be without Pakistani doctors ? Where would Google,IBM,Microsoft etc be without Pakistani engineers ? Where would the wall st banks be without our economists ? Its a tragedy that our leaders have let us down. It is all in branding. Bigger conspiracies have been made against Pakistanis in the past. In 1984, a Lahore GCU college professor by name Abdus Sattar successfully transmitted data bits between 2 networks. In essence, so huge the impact was of his research it has changed the face of this world and how humans live forever. What is beyond tragic is the fact that Abdus Sattar was never given credit. Infact the DARPA in US took Sattar sahib's idea and extended it to call it the "internet".
Mr. Zog - absolutely you are right, we must ditch mullahism and rejoin the world via the enlightened democracy of bilawal bhutto zardari and etc. surely that will bring much progress to economis, researche, sportes and cultures
Another shining star from Pakistan, matchless, don't worry keep on doing your good work.
Yet another Pakistani denied his fair due in this world !!
There is so much talent in Pakistan.
Can we please ditch mullahism and rejoin the world.
Lets focus on economics, research, sport, culture.
I read a report in Washington Post yesterday with a totally different version.All credit was given to Google, no mention of Baloch!!!This reflects poorly on WP.