Pakistani Researcher Helps Google in Preventing a Massive Security Disaster

A Pakistani security researcher, Rafay Baloch, has helped Google in preventing a privacy disaster. In a blog post published a month ago, Rafay detailed how the Same Origin Policy (SOP) protection used by modern browsers on Android could be bypassed.

The bug identified by Rafay potentially affected anyone who wasn’t running the latest Android KitKat 4.4, which means that more than 75% of Android devices and millions of users were vulnerable.

Simply put, if you used the Android browser which is default choice on all Android versions except KitKat 4.4, any malicious website could access data from other webpages. This is because web security depends on a Same Origin Policy (SOP) which ensures that the data sent by a specific site can only be accessed by that site.

As Baloch found out, a particularly constructed script could ignore the SOP entirely and allow attackers to pull site login info, cookies and data from other websites to use as they liked.

According to Baloch, he tried to contact Google with the details of the exploit in mid-August but he was met with the response that it couldn’t be replicated. It was only after a blog post about the SOP bypass on Baloch’s blog that Google took notice and said that the exploit could, in fact, be replicated.

This is worrying because 75.5% of Android devices come bundled with the vulnerable AOSP browser as a default choice and Google’s slow response might have compromised privacy of millions of users. Patches for the flaw have since been released by Google but we would still suggest that you immediately stop using the default Android browser and switch to Chrome, Firefox or Opera.

Unfortunately, the ending isn’t a happy one for Baloch, who hasn’t received any credit for his discovery. Google’s policy for rewards and recognition for finding bugs requires that patches be issued before the security flaws are made public. However, when Google didn’t respond positively to Rafay, he had to make his discoveries public. That was only when Google took necessary actions.

Google has refused any further communication on the matter.

Rafay Baloch has been previously acknowledged by PayPal, Microsoft, ESET and eBay for reporting bugs and flaws in their systems.

Talal is a Director and the Editor in Chief at ProPakistani.


  • Uzair Farooqi

    Well i think he is well recognized by all other blogs. Google is doing this to him only because he is a Pakistani i guess..

    • AAA

      Nai, actually Google gi gardan mei b Itfaq foundary ka sarya hai :D.

      • manobilla

        no indian sarya hai

    • Shahid Saleem

      You guess wrong. He has been credited by Google for finding at least three security issues in 2013. He did not get rewards, but that does not mean they don’t like Pakistanis.

      They certainly have no objection to giving rewards to Muslims. Read the names

      http://www.google.com/about/appsecurity/hall-of-fame/distinction/

      and on related links.

      • aamir7

        Why you brought religion in the discussion? Uzair was mentioning nationality only.

        • Shahid Saleem

          I mentioned that because too many people say Google is conspiring against Muslims. Don’t you even read comments on your own blog?

          • aamir7

            Address them in their respective threads, instead of generalizing the whole public and their opinion.

        • Shahid Saleem

          To put it more bluntly, when people say something like “Google is doing this to him only because he is a Pakistani” they really mean “Pakistani Muslims”. Almost no one who writes a complaint like that about Google or Paypal or Facebook or other services means “Pakistani Hindus” or “Pakistani Parsis” or “Pakistani Christians”.

      • Uzair Farooqi

        But i am not talking about Muslims here. I am talking about Pakistan and Pakistanis. We have Youtube Blocked for years now. But they still refused to block a single video that was the reason to block it. Why? Why they dont understand our values? I know that people blame govt about that but still Google did not even struggle to get its Youtube ban lifted from Pakistan. It just ignores us… :-/

        • Shahid Saleem

          You say that as if Pakistani values are different from Muslim values. Is that what you meant to say? Because certainly if the video is available in other Muslim countries, it is not a “Muslim values” issue.

          And you are wrong that Google did not try to get the ban lifted. They were sent letter by LHC, and they replied. They visited Pakistan three times to visit our minister, and she didn’t meet them. What did you want them to do when our ministry does not want ban lifted?

      • Zaheer Abbasi

        There u go again.what muslims did wrong with u.u dont let the chance to criticize muslims.why dont u leave pakistan n join ur jews brothers.f off from pakistan.

        • Shahid Saleem

          You cannot understand English. Go away.

          • Zaheer Abbasi

            Hah.shaid kan_ger then dont tell me n f off from muslims.

            • Shahid Saleem

              when you cannot understand what i wrote (which is the COMPLETE OPPOSITE of your comment), then it is obvious to all that you cannot understand english and you should do something about it.

              I said nothing against Muslims. You keep saying everything about some Muslims including me. Who is confused?

  • Amir

    Great work buddy! It would have been great if Google had compensated you but again you did not meet their policies. Anyway, great find. Keep up the hard work!

  • Haseeb

    Rafay is doing excellent job and presenting Pakistan on all multinational companies i.e. Google, PayPal, Microsoft etc. Keep it up good work !!!

  • Ahmed

    I read about it a few weeks ago on several websites but nowhere was his place of residence mentioned.