Android Devices Face Privacy Flaw

Friday, September 19, 2014 @ 04:09 PM gHale

A Metasploit module can exploit a flaw in 75 percent of Android devices that allows attackers to hijack a users’ open websites.

The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and ended up disclosed September 1, researchers said.

Android Apps at Risk for MitM Attacks
New Android Attack Revealed
Android Apps Prone to MitM attacks
Android Gyroscopes Act as Listening Device

Tod Beardsley, a developer for the Metasploit security toolkit dubbed the “major” flaw a “privacy disaster.”

“What this means is any arbitrary website — say, one controlled by a spammer or a spy — can peek into the contents of any other web page,” Beardsley said in a blog post.

“[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.

“Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf.”

It worked using a malformed a Javascript: URL handler prepended with a null byte which allowed attackers to bypass the Same-Origin Policy in the defunct but still popular Android Open Source Platform (AOSP).

The creation of a module for the Metasploit penetration testing platform would make exploitation easier.

Researcher Rafay Baloch discovered the flaw SOP bypass in his Qmobile Noir A20 running Android Browser 4.2.1, and later verified it on devices from Sony, Xperia, Tipo, Samsung Galaxy, HTC Wildfire, Motorola and more.

Beardsley said nearly 100 percent of less expensive Android phones run version 4.2 “Jellybean” and would suffer from the issue.

Leave a Reply

You must be logged in to post a comment.