KARACHI:
Little over a month after he helped Google Inc fix a security bug in Android’s built-in browser, security researcher Rafay Baloch discovered yet another same-origin policy (SOP) bypass vulnerability in the browser’s versions prior to 4.4, which allows attackers to steal personal data from millions of Android phone users.
Unlike last time when it took more than two weeks to fix the problem, the technology giant has already released patches. However, the Pakistani white-hat tells The Express Tribune that Google’s security team has applied the patches to Jelly Bean users while the downstream users – those on Ice Cream Sandwich and Gingerbread – may still be at risk.
The aforesaid vulnerability, according to Baloch, carries the same consequences as he had prevented earlier in August.
He was lauded by several of the world’s major technology blogs and publications for identifying the vulnerability in the Android Open Source Platform (AOSP) Browser.
The security flaw can allow a bypass of the SOP protection, which is implemented in most browsers such as Internet Explorer, Mozilla Firefox and Google Chrome, said Baloch.
“It gives attackers access to private data that can be misused — something SOP prevents from happening.”
Information security analysts had already termed the bug a ‘privacy disaster’ but a security intelligence blog Trendmicro recently noted that the vulnerability has a “wider reach than thought”.
To check the reach of the said vulnerability, the blog’s team downloaded the top 100 applications on Google Play with ‘browser’ in their names and found that 42% of these apps were vulnerable, according to a post on Trendmicro.
“Currently, there is not much that users can do to avoid this problem. They can opt to use browsers that are not affected by this vulnerability, such as Chrome or Firefox,” the blog said.
Google’s representative in Pakistan was not available to comment or respond to the queries.
Baloch is a professional penetration tester who participates in various bug bounty programmes to help several major Internet corporations improve their Internet security. The 21-year-old white hat is the author of Ethical Hacking and Penetration Testing Guide, his first book on internet security that he finished early this year.
Published in The Express Tribune, October 5th, 2014.
Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.
COMMENTS (7)
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ
Great job done. Keep up the good work!
I am trying to find something negative to write, but I can't.
Hari Kumar Mumbai
It is an excellent job done by Mr Baloch. Well done and we are proud of you.
Super job Baloch. We praise your work.
Good Job no Great Job Keep it up and i hope Google reward's you i mean the least they can do unlike last time when they didn't even give you credit,Don't give a fk keep it up and keep rocking show the world :]
Good job Mr.Baloch; keep it up.