Rafay Bloach is a young security researcher from Karachi, a well known name both at local and international forums. He has been into this field for more than 6 years now helping many software companies finding bugs and tighten their security. Rafay is an active participant of bug bounty programs and got listed in hall of fame by Google, Facebook, Microsoft, Twitter and other notable companies.
As per his blog post, Last month Rafay has found a critical vulnerability in the Android stock browser, which could have affected more than 75 percent Android users. The Android Open Source Platform (AOSP) browser installed on Android devices other than the latest version KitKat are vulnerable to Same Origin Policy (SOP) bypass. SOP is designed to make pages of a same site interact with each other by using the information provided on one page at another page. Bypassing the SOP, an attacker can gain access to content from a different website, all it needs a malicious website.
For example you’re reading your emails in one tab and opened a random website in another. This particular website is embedded with a malicious code and with in matter of seconds the hacker could take control of your email account, could read your email or send them on your behalf. It could copy your session cookies and get access to your personal information and passwords.
This vulnerability was first discovered on a QMobile smartphone running Jelly Bean 4.2.1 operating system, however later same results were produced on other devices including Galaxy S3, HTC Wildfire and other devices running Jelly Bean operating system. Google has stopped shipping the AOSP browser with Android KitKat and made Chrome the default browser so all the users on Android 4.4.x KitKat are considered safe.
Rafay said that he has notified Google about this vulnerability long before posting it on his blog, but the Google security team rejected his findings on the basis that they couldn’t reproduce the issue and denied him any credits or bounty. However now they are working on this issue and its been identified as CVE-2014-6041.
Expanding the scope of research another expert from Rapid7 has claimed that this vulnerability is not just limited to AOSP browser, any application that use WebView component is vulnerable ─ including Maxthon and CM Browser. If you are running an older version of Android it is recommended that you should install Google Chrome or Firefox.