KARACHI: A Pakistani security researcher has helped Google fix a major security flaw in its Android operating system for smartphones, protecting the personal data of millions of smartphone users across the world.
Professional penetration tester and author of the book ‘Ethical Hacking and Penetration Testing Guide’, Rafay Baloch identified a major vulnerability in the Android Open Source Platform (AOSP) Browser and reported it to Google on August 13.
The 21-year-old also shared a proof of concept (PoC) for the security bug – which he defined as a Same Origin Policy (SOP) bypass – with the company but the California-based internet giant could not reproduce it for over two weeks, according to his email correspondence with the Android security team.
It was only after August 31, when the young techie released this information on his blog that Android was able to reproduce the bug and released patches for the AOSP Browser. The issue, however, was already picked up by the world’s major technology blogs and publications before the company could fix it.
“Right at the start of September, security researcher Rafay Baloch released details on an Android bug that has now been called a ‘privacy disaster’,” www.forbes.com said in a September 16 report.
The report added that anyone not running the latest release, Android 4.4, is affected. “That means as many as 75% of Android devices and millions of users could be open to attack,” it said quoting Google’s stats; though not all are likely to be using the affected browser, the report said.
The flaw can allow a bypass of the Same Origin Policy (SOP) protection, which is implemented in most browsers, such as Internet Explorer, Mozilla Firefox and Google Chrome, Baloch told The Express Tribune.
The SOP “stops malicious code from spilling over from one site to others open on separate tabs,” the Forbes report said.
“It was a really nasty bug. The mere fact that it potentially gives access to private data is a huge problem, after all it’s that data can then be used to commit further crimes against you,” it quoted Professor Alan Woodward, a security expert from the University of Surrey’s computing department, as saying.
This is not the first time Baloch has reported a major security flaw in a global technology company’s software. He has been participating in various bug bounty programmes to help several major internet corporations improve their internet security.
For example, he was rewarded with $10,000 in cash and a job offer from PayPal for finding remote code execution vulnerability along with several other high-risk vulnerabilities inside the online money transfer service.
While Baloch’s research led to the fixing of the AOSP Browser bug, the internet giant disqualified him for any reward or credit for his contribution.
“Android does not currently have a vulnerability rewards programme. Android is covered in the Patch Rewards Programme though,” Josh Armour from Android Security told Baloch, according to the email correspondence between the two. “Given that this [the bug] was published before we had a chance to provide patches, this specific report would not qualify,” Armour wrote to Baloch.
Disappointed with Google’s response, the researcher said he disclosed the bug more than two weeks prior to publishing the same so it was “Google’s fault for not being able to reproduce it.”
“It was a serious security threat and should have been fixed immediately,” he said. “Yes, I can fix this quickly,” the white hat hacker said in response to a question.
The Express Tribune contacted Badar Khushnood, Google’s Country Consultant for Pakistan, but did not receive any response till the filing of this report.
Published in The Express Tribune, September 20th, 2014.