THREE QUARTERS of Android mobes open to web page spy bug

Metasploit module gobbles KitKat SOP slop

30 Reg comments Got Tips?

A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites.

The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, according to researchers.

Tod Beardsley (@TodB), a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".

"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.

"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.

"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf."

It worked using a malformed a Javascript: URL handler prepended with a null byte which allowed attackers to bypass the Same-Origin Policy in the defunct but still popular Android Open Source Platform (AOSP).

The creation of a module for the Metasploit penetration testing platform would make exploitation easier.

Researcher Rafay Baloch discovered the flaw SOP bypass in his Qmobile Noir A20 running Android Browser 4.2.1, and later verified it on devices from Sony, Xperia, Tipo, Samsung Galaxy, HTC Wildfire, Motorola and more. He described the SOP bypass in an earlier post.

"A SOP bypass occurs when a is some how able to access the properties of such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers, however, they are found once in a while."

Beardsley said nearly 100 per cent of cheap Android phones run version 4.2 'Jellybean' and would be affected. ®


Biting the hand that feeds IT © 1998–2020