Sophos Cloud Optix
Independent security researcher Rafay Baloch has written about a security bug in the Android Browser app that allows one website to steal data from another.
The guys over at Metasploit are calling it a “Privacy Disaster,” and promising to take the time to create a video that is “sufficiently shocking” in order to show you why.
So, what went wrong, and what should you do?
The Same Origin Policy
Web security depends very heavily on a principle known as the Same Origin Policy.
Very loosely speaking, this says that only web content (such as JavaScript) from site X can access information already sent to your browser by site X.
It’s easy for site Y to pull in content from site X, for example by using an IFRAME, or inline frame:
So attackers can easily send you a web page that causes your browser to suck in their content, mixed with my content, including important data such as session cookies.
What these attackers are not supposed to be able to do in their web code is to get hold of anything I sent to you.
The browser may display our content intermingled – when presenting a Facebook widget, for instance – but it mustn’t allow it to be mixed together programmatically.
Otherwise it would be a simple matter for crooks to put JavaScript into their pages to suck private data out of the content supplied by me (such as the abovementioned login cookies).
They could then send the stolen data back to their servers to misuse at their leisure.
Anyway, Rafay Baloch found a way of sucking in content from another site into an IFRAME, and then reading Document Object Model (DOM) data from that IFRAME using some JavaScript trickery outside the IFRAME.
Ironically, he did it by registering a JavaScript callback using a URL text string that started with a NUL, or “zero” character:
NUL is just another character in JavaScript text strings, but usually denotes the end of a string in C.
Presumably, when the Android browser validates the URL to see if it’s suspicious, it stops checking for risky content at the NUL character.
But when it actually processes the URL, it ignores the NUL byte, just as it might skip over leading tabs or spaces.
Good and bad news
The good news is that the Android Browser app, known simply as Browser, has been discontinued by Google.
You can still get hold of it and install it if you want, but Android 4.4 (KitKat) doesn’t have it by default.
The bad news is that older versions of Android (apparently, anything before 4.4) do come with Browser.
And, because Browser it isn’t being developed any more, this bug might well be there to stay, unless your phone vendor decides to offer a firmware update to replace it.
But if your phone vendor were in the habit of pushing out firmware updates, you’d reasonably expect to have Android 4.4 already and this bug would be moot.
What to do?
Stop using Browser if you have it installed.
You’ll know you have it by going to Settings | Apps | All and looking for its tell-tale icon:
You almost certainly can’t uninstall it, because it’s usually part of the operating system build itself, meaning it doesn’t show up under Settings | Apps | Downloaded.
But if you tap on Browser from the All apps page, you should see a [Disable] button where you’d usually see [Uninstall]:
This will let you disarm the danger by preventing you from using the risky Browser app again.
If you’re looking after a fleet of Androids as part of a Bring Your Own Device (BYOD) programme, a decent Mobile Device Management (MDM) product should help to defuse the risk by inhibiting the Browser app remotely:
You’ll need to provide your users with another browser in its place, of course, but your MDM software should make that pretty easy, too.
Well-known replacement browsers include Firefox, Chrome and Dolphin.
As far as we know, none of those have the bug described here.
“Disable” is not part of the options for mine in the App Info — instead the button says “Turn Off” and it is greyed out and doesn’t respond. Suggestions?
Ouch. What phone do you have?
Is there a “Force stop” button and, if so, does force-stopping the app activate the “Turn off” option?
I have the same situation as Catherine, and no, force-stopping the app doesn’t make “turn off” an option.
Mine is unbudgable in any form
Motorola Defy mini – stuffed with crapware that seems to be superglued to the system
Highly tempted to root it, but a bit worried about bricking it.
Still for £49.99 sim free it works as a phone (which I guess is the basic idea)
Maybe rooting your phone helps? (With an app manager like link2sd)
same thing here on an already rooted wiko phone
impossible to click on the “disable” button
Since your phone is rooted…If you install an app like Titanium Backup, you might find it possible to uninstall “Internet”/”Browser” altogether, even though it’s a system app.
Disabling is a nice precaution, but not the end of the world. Just don’t use the prepackaged browser and you’ll be fine; as I recall there should be a way to change the default browser to whatever alternative you want to use. After that it’s just a matter of replacing any shortcuts on your homescreen with your new browser and remembering not to launch it manually.
its only a problem if you use it, just use Chrome,firefox,opera,dolphin as default (clear all data in Browser app so no info is saved any more)
My phone is a Samsung S3. It doesn’t have an app named “Browser,” but does have one built in named “Internet.” Does anybody know if these are one and the same? If so, If so, my options are Force Stop and Turn Off.
I don’t use the “Internet” app to browse, as I have both Chrome and Firefox installed. I will turn it off for now, just in case it contains the same bug.
Okay, I was able to Force Stop “Internet” but, as others have reported, “Turn Off” is grayed out and never becomes a viable option. So, I cleared the cache and will continue to not use that icon/browser.
Mine says the same…
My S3 from O2 with Android 4.3 doesn’t have an app called browser. It has one called ‘Internet’, and one called ‘Chrome’. Does anyone know if either of these are vulnerable?
Not sure what the code base of “Internet” is. Chrome, as suggested above, should be OK. That’s Google’s mainstream browser, and the one that has supplanted “Browser” on Android.
Yes, “Browser” and “Internet” are names for the Android Stock Browser.
And I presume “Turn off” and “Disable” are the same thing?
Does “Internet” also have that blue globe icon? (I don’t have a Samsung phone to check. Probably should pop into a mobile phone shop and have a play 🙂
Yes, Paul, it has the same icon. Unfortunately, on my Samsung Acer, it doesn’t come up in the list in Application Manager, so there seems to be no way to disable it.
Droid 2 here, disable is not an option. I can force stop and clear data, but that’s it.
I have a Samusung Surface 3 tablet, and it has “Turn Off” instead of “Disable”, but it’s greyed out so I can’t actually turn it off. Any ideas?
Others are doing a Force Stop, clearing the app cache, and being careful not to run the “Internet” app again (that they know of 🙂
Another thing you can do, is “Hide” both “Browser” and “Internet”, so you won’t accidentally click on them, since you can’t “Disable”, or “Turn Off”! Way to do this is, click on “Apps”, click the lower left corner of your Phone, then click on “Hide Applications”, then check the “Application” you want to Hide! That how I do it, on my Samsung Galaxy LTE…Might be different, on different Phones!
Good thinking!
I reckon that if you are really worried, you can “Force Stop” the app, which should cause the Force Stop button to be greyed out. Then you can occasionally go back into Settings | Apps | All | Internet and check that the Force Stop button is still greyed out, implying that the app hasn’t run since you last stopped it. Though what you do it if *has* I am afraid I can’t say 🙂
On my Samsung Fame, disable is greyed out. You can force stop, but look back a minute or two later and it’s started again. I guess during development it was considered a vital part of the OS 🙁
So, forget my earlier advice about checking that a stopped app stays stopped…
Bummer, I like Browser. It’s simple, quick and allows me to run Facebook games without having to use the Facebook app. Now I’m going to have to figure out how to fix Chrome.
Cant disable on Galaxy note 10.1, (can force stop) so I dragged the icon to the bin so I don’t accidentally use it
Have a Xperia SP running 4.3 Jelly Bean, it doesn’t have an app called “Browser”. Any Xperia Users?
Diabling stock browser wasn’t good workout, since many third party browsers that utilize stock webcore will be also effected.
“Disable stock browser” is not a valid fix for those that use the stock browser. Patches are available:
https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598c.
https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598c