Pinterest Stumbleupon Whatsapp
Ads by Google

Are you yet to upgrade to Android 4.4 KitKat? Here’s something that might give you a bit of encouragement to make the switch: a serious issue with the stock browser on pre-KitKat phones has been discovered, and it could allow malicious websites to access the data of other websites. Sounds scary? Here’s what you need to know

The issue – which was first discovered by researcher Rafay Baloch – sees malicious websites being able to inject arbitrary JavaScript into other frames, which could see cookies stolen, or the structure and markup of websites being directly interfered with.

Security researchers are desperately worried by this, with Rapid7 – the makers of the popular security testing framework, Metasploit – describing it as a ‘privacy nightmare’. Curious about how it works, why you should be worried, and what you can do about it? Read on for more.

A Basic Security Principle: Bypassed

The basic principle which should prevent this attack from occurring in the first place is called Same Origin Policy. In short, it means that client-side JavaScript running in one website should not be able to be interfere with another website.

This policy has been a foundation of web application security, ever since it was first introduced in 1995 with Netscape Navigator 2. Every single web browser has implemented this policy, as a fundamental security feature, and as a result it is incredibly rare to see such a vulnerability in the wild.

Ads by Google

For more information on how SOP works, you may wish to watch the above video. This was taken at an OWASP (Open Web App Security Project) event in Germany, and is one of the best explanations of the protocol I’ve seen so far.

When a browser is vulnerable to a SOP bypass attack, there’s a lot of room for damage. An attacker could feasibly do anything, from use the location API introduced with the HTML5 spec to find out where a victim is located, all the way to stealing cookies.

Fortunately, most browser developers take this kind of attack seriously. Which makes it all the more noteworthy to see such an attack ‘in the wild’.

How The Attack Works

So, we know Same Origin Polity is important. And we know that a massive failing of the stock Android browser can potentially lead to attackers circumventing this crucial security measure? But how does it work?

Well, the proof of concept given by Rafay Baloch looks a bit like this:

<iframe name="test" src="http://www.rhainfosec.com"></iframe> <input type=button value="test" onclick=“window.open('\u0000javascript:alert(document.domain)','test')"

So, what do we have here? Well, there’s an iFrame. This is a HTML element that is used to allow websites to embed another web page within another web page. They’re not used as much as they used to be, largely because they’re an SEO nightmare 10 Common SEO Mistakes that can Destroy Your Website [Part I] 10 Common SEO Mistakes that can Destroy Your Website [Part I] Read More . However, you still often find them from time to time, and they’re still a part of the HTML specification, and have not yet been deprecated.

Following that is a HTML tag representing an input button. This contains some specially crafted JavaScript (notice that trailing ‘\u0000’?) that, when clicked, outputs the domain name of the current website. However, due to an error in the Android browser, it ends up accessing the attributes of the iFrame, and ends up printing ‘rhaininfosec.com’ as a JavaScript alert box.

android-html-attack

On Google Chrome, Internet Explorer and Firefox, this type of attack would simply error out. It’d (depending on the browser) also produce a log in the JavaScript console informing that the browser blocked the attack. Except, for some reason, the stock browser on pre-Android 4.4 devices does not do that.

android-html-console

Printing out a domain name isn’t terribly spectacular. However, gaining access to cookies and executing arbitrary JavaScript in another website is rather worrying. Thankfully, there’s something that can be done.

What Can Be Done?

Users have a few options here. Firstly, stop using the stock Android browser. It’s old, it’s insecure and there are far more compelling options in the market right now. Google has released Chrome for Android Google Chrome Finally Launches For Android (ICS Only) [News] Google Chrome Finally Launches For Android (ICS Only) [News] Read More (although, only for devices running Ice Cream Sandwich and up), and there’s even mobile variants of Firefox and Opera available Opera Launches New Versions Of Mobile Browsers [News] Opera Launches New Versions Of Mobile Browsers [News] Read More .

Firefox Mobile in particular is worth paying attention to. In addition to offering an amazing browsing experience, it also allows you to run applications for Mozilla’s own mobile operating system, Firefox OS Top 15 Firefox OS Apps: The Ultimate List For New Firefox OS Users Top 15 Firefox OS Apps: The Ultimate List For New Firefox OS Users Of course there is an app for that: It's web technology after all. Mozilla's mobile operating system Firefox OS that, instead of native code, uses HTML5, CSS3 and JavaScript for its apps. Read More , as well as install a wealth of awesome add-ons Unmissable Addons For Firefox On Your Android Device Unmissable Addons For Firefox On Your Android Device Firefox for Android has a trick up its sleeve: Add-ons. Just as Firefox offers a more powerful extension system than Chrome on the desktop, it beats Chrome for Android by supporting extensions. You can install... Read More .

If you want to be especially paranoid, there’s even a porting of NoScript for Firefox Mobile. Although, it should be noted that most websites are heavily dependent upon JavaScript for rendering client-side niceties What is JavaScript and How Does It Work? [Technology Explained] What is JavaScript and How Does It Work? [Technology Explained] Read More , and using NoScript will almost certainly break most websites. This, perhaps, explains why James Bruce described it as part of the ‘trifecta of evil AdBlock, NoScript & Ghostery - The Trifecta Of Evil AdBlock, NoScript & Ghostery - The Trifecta Of Evil Over the past few months, I've been contacted by a good number of readers who have had problems downloading our guides, or why they can't see the login buttons or comments not loading; and in... Read More ‘.

Finally, if possible, you’d be encouraged to update your Android browser to the latest version, in addition to installing the latest version of the Android operating system. This ensures that should Google release a fix for this bug further down the line, you are protected.

Although, it’s worth noting that there are rumblings that this issue could potentially hit users of Android 4.4 KitKat. However, nothing has emerged that is sufficiently substantial for me to advise readers to switch browsers.

A Major Privacy Bug

Make no mistake, this is a major smartphone security issue What You Really Need To Know About Smartphone Security What You Really Need To Know About Smartphone Security Read More . However, by switching to a different browser, you become virtually invulnerable. However, a number of questions remain about the overall security of the Android operating system.

Will you be switching to something a bit more secure, like super-secure iOS Smartphone Security: Can iPhones Get Malware? Smartphone Security: Can iPhones Get Malware? Malware affecting "thousands" of iPhones can steal App Store credentials, but the majority of iOS users are perfectly safe – so what's the deal with iOS and rogue software? Read More or (my favorite) Blackberry 10 10 Reasons To Give BlackBerry 10 A Try Today 10 Reasons To Give BlackBerry 10 A Try Today BlackBerry 10 has some pretty irresistible features. Here are ten reasons why you might want to give it a go. Read More ? Or perhaps will you be staying loyal to Android, and installing a secure ROM like Paranoid Android or Omirom 5 Reasons Why You Should Flash OmniROM To Your Android Device 5 Reasons Why You Should Flash OmniROM To Your Android Device With a bunch of custom ROM options out there, it can be hard to settle on just one -- but you should really consider OmniROM. Read More ? Or perhaps you’re not even that worried.

Let’s chat about it. The comments box is below. I can’t wait to hear your thoughts.

  1. Howard B
    September 26, 2014 at 6:06 pm

    Same problem with my Huawei H838C - it came with Chrome Browser preinstalled (which I removed with root access). I use Firefox Mobile instead.

    • Matthew H
      September 29, 2014 at 3:53 pm

      Good shout. You should be secure with that!

  2. Steve
    September 25, 2014 at 6:11 pm

    //Are you yet to upgrade to Android 4.4 KitKat? Here’s something that might give you a bit of encouragement to make the switch://

    No, as the choice isn't actually mine, due to the simple fact that if you do not have one of the top end Android phones, you rarely get an OS upgrade.

    I bought a new Huawei Y300 when it was on 4.1. We are now on 4.4 and still no upgrade. An email from them confirmed it never would be.

    Before that it was a Samsung Galaxy Ace - also new. That has never had an upgrade to the OS.

    The only ones that I have got the upgrade for were the Moto G and the Nexus 7 2013 tablet.

    Yes, I use the Chrome browser, but saying people should upgrade their Android OS is disingenuous, when the choice is not usually theirs to make.

    • Matthew H
      September 26, 2014 at 2:17 pm

      You're quite right. Thanks for your comment.

      With relation to the Huawei Y300, our only real option (besides get a new phone, which I can understand being quite unattractive) is to install a custom ROM. Cyanogen Mod offers a Kitkat one for your model device.

      Cheers!
      Matt

Leave a Reply

Your email address will not be published. Required fields are marked *