On a roll: Another bug exposed by Pakistani researcher

Patches released after SOP bypass vulnerability identified in Android’s built-in browser.


Farooq Baloch October 04, 2014
On a roll: Another bug exposed by Pakistani researcher

KARACHI:


Little over a month after he helped Google Inc fix a security bug in Android’s built-in browser, security researcher Rafay Baloch discovered yet another same-origin policy (SOP) bypass vulnerability in the browser’s versions prior to 4.4, which allows attackers to steal personal data from millions of Android phone users. 


Unlike last time when it took more than two weeks to fix the problem, the technology giant has already released patches. However, the Pakistani white-hat tells The Express Tribune that Google’s security team has applied the patches to Jelly Bean users while the downstream users – those on Ice Cream Sandwich and Gingerbread – may still be at risk.

The aforesaid vulnerability, according to Baloch, carries the same consequences as he had prevented earlier in August.

He was lauded by several of the world’s major technology blogs and publications for identifying the vulnerability in the Android Open Source Platform (AOSP) Browser.

The security flaw can allow a bypass of the SOP protection, which is implemented in most browsers such as Internet Explorer, Mozilla Firefox and Google Chrome, said Baloch.

“It gives attackers access to private data that can be misused — something SOP prevents from happening.”

Information security analysts had already termed the bug a ‘privacy disaster’ but a security intelligence blog Trendmicro recently noted that the vulnerability has a “wider reach than thought”.

To check the reach of the said vulnerability, the blog’s team downloaded the top 100 applications on Google Play with ‘browser’ in their names and found that 42% of these apps were vulnerable, according to a post on Trendmicro.

“Currently, there is not much that users can do to avoid this problem. They can opt to use browsers that are not affected by this vulnerability, such as Chrome or Firefox,” the blog said.

Google’s representative in Pakistan was not available to comment or respond to the queries.

Baloch is a professional penetration tester who participates in various bug bounty programmes to help several major Internet corporations improve their Internet security. The 21-year-old white hat is the author of Ethical Hacking and Penetration Testing Guide, his first book on internet security that he finished early this year.

Published in The Express Tribune, October 5th, 2014.

Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.

COMMENTS (7)

IAK | 10 years ago | Reply

Great job done. Keep up the good work!

Moiz Omar | 10 years ago | Reply Great job Mr. Rafay Baloch!!
VIEW MORE COMMENTS
Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ