A massive security vulnerability has been discovered in all versions of the default Android browser, which is in use on millions of devices around the world. The flaw allows attackers to run scripts that can read the contents of any open tab, including things such as cookies and credentials that might let them harvest private data even later.
Users of devices running any version of
Android prior to 4.4 with the standard browser are affected. According to Google's own analytics, quoted by
Android Central and security community website
SecurityStreet, this affects at least 75 percent of all Android users. A very large proportion of new phones also ship with Android 4.3 or lower.
The flaw was first publicised by ethical hacker and blogger
Rafay Baloch, who has since tested it on a variety of devices. His findings have further been confirmed by others in the security industry. A module that exploits this flaw is also now widely available for the Metasploit penetration testing framework.
The problem relates to the inability of the Android (AOSP) browser to uphold a fundamental assumption, which is that websites which are open should be able to execute scripts, but those should not be able to affect the contents of any other open websites. The concept, known as Single-Origin Policy, can be bypassed for the Android browser by deliberately feeding it a malformed instruction which allows scripts to be run without supervision. The relatively simple exploit thus allows attackers to read data even from secure sites once they are opened, and redirect the data to wherever they want.
Google has not yet responded to the disclosure. The Android browser was officially deprecated in favour of Chrome with Android 4.4. A huge number of devices currently in use will never be updated to 4.4, including many low-priced ones that are being sold as new today.