Last updated at Fri, 21 Jul 2017 16:14:49 GMT
What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.
When this vulnerability was announced by Balcoh, it was met with... total silence. There has been no acknowledgement of the bug from Google, as far as we can tell. There's no listing of this bug on CVEDetail's readout of Android issues, and no chatter (we could find) in the Android security community about this bug.
Research and testing is still ongoing to plumb the depths of this issue. We'd like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today.
While the AOSP browser has "been killed off" by Google, it is wildly popular, even on modern devices used by sophisticated users who prefer the stock browser over Google Chrome, Firefox, Dolphin, or other browsers. A quick search for "AOSP browser" turns up page after page of instructions and HOWTOs on re-installing this defunct, unsupported-by-Google software. Among the top pages, I could find absolutely no mention of security concerns in reinstalling the original stock browser.
Later this week, I'll have a demo of the bug all video'ed up that's sufficiently shocking. I'd really like to continue the conversation about security for mid- to low-end devices that people trust with the details of their lives. I hope this Metasploit module (which is available today in all versions of Metasploit) spurs along the conversation on what we can do to ensure that the users of normal, off-the-shelf, brand-new phones aren't so vulnerable to privacy violations.
Edit: Changed Rafay's disclosure date to September 1, 2014. This appears to be more accurate when considering the GMT timezone. Clarified that the AOSP browser "has been killed off," not all of AOSP.