A Pakistani security researcher, Rafay Baloch, has helped Google in preventing a privacy disaster. In a blog post published a month ago, Rafay detailed how the Same Origin Policy (SOP) protection used by modern browsers on Android could be bypassed.
The bug identified by Rafay potentially affected anyone who wasn’t running the latest Android KitKat 4.4, which means that more than 75% of Android devices and millions of users were vulnerable.
Simply put, if you used the Android browser which is default choice on all Android versions except KitKat 4.4, any malicious website could access data from other webpages. This is because web security depends on a Same Origin Policy (SOP) which ensures that the data sent by a specific site can only be accessed by that site.
As Baloch found out, a particularly constructed script could ignore the SOP entirely and allow attackers to pull site login info, cookies and data from other websites to use as they liked.
According to Baloch, he tried to contact Google with the details of the exploit in mid-August but he was met with the response that it couldn’t be replicated. It was only after a blog post about the SOP bypass on Baloch’s blog that Google took notice and said that the exploit could, in fact, be replicated.
This is worrying because 75.5% of Android devices come bundled with the vulnerable AOSP browser as a default choice and Google’s slow response might have compromised privacy of millions of users. Patches for the flaw have since been released by Google but we would still suggest that you immediately stop using the default Android browser and switch to Chrome, Firefox or Opera.
Unfortunately, the ending isn’t a happy one for Baloch, who hasn’t received any credit for his discovery. Google’s policy for rewards and recognition for finding bugs requires that patches be issued before the security flaws are made public. However, when Google didn’t respond positively to Rafay, he had to make his discoveries public. That was only when Google took necessary actions.
Google has refused any further communication on the matter.
Rafay Baloch has been previously acknowledged by PayPal, Microsoft, ESET and eBay for reporting bugs and flaws in their systems.