As many as 75 per cent of Android devices and millions of users could have been affected by a glitch had it not been for Pakistani security researcher Rafay Baloch.
According to reports, Baloch helped Google identify the threat — dubbed a “privacy disaster” — in its Android Open Source Platform (AOSP) Browser.
In a blog posted earlier this month, Baloch revealed that all users who had not run the latest release, Android 4.4, were vulnerable to the “Same Origin Policy (SOP)” bypass. He found the vulnerability first in his QMobile Noir A20 running Android Browser 4.2.1, and later verified it by running tests on Sony Xperia, Samsung Galaxy, HTC Wildfire and some other sets.
“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the JavaScript from one origin should not be able to access the properties of a website on another origin,” said Baloch on his blog.
Tod Beardsley of Rapid7, in another blog post, explains what this SOP bypass could do: “What this means is any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
Imagine you went to an attacker’s site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees.
Worse, he could snag a copy of your session cookie and hijack your session completely and read and write webmail on your behalf.
“This is a privacy disaster. The Same Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security,” writes Beardsley.
