Major Security Vulnerability Revealed in Android's Default Browser

A major security flaw in Google Android's built-in AOSP browser has been found by the Metasploit team.

The vulnerability is described in detail here: http://www.cvedetails.com/cve/CVE-2014-6041/

There's no sugarcoating it, this one is bad. The vulnerability allows an attacked to use a crafted website to scrape data from all other open tabs, and even allows interactivity between the open tabs, so an attacker could not only read all data on neighboring tabs, but they could manipulate data and even send messages and emails impersonating that person.

Google has dropped "official support" for the AOSP browser, so the reaction to exploit and information as to whether anything will be done to fix it is sparse.

The exploit impacts all Android products prior to 4.3 (this means Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, and most of Jelly Bean are impacted. Kit Kat is not impacted by the vulnerability.

At this time the best thing you can do to avoid this bug is avoid using the built-in browser entirely. Install Firefox or Chrome for Android and use that instead. There is no fix in sight for this bug at this time.

Credit goes out to Rafay Baloch for finding the vulnerability. His Twitter: @rafaybaloch

< last
next >