Researchers find Android ‘Browser’ vulnerability in many devices: SSO Alert Priority Moderate
19 September 2014
Researchers have discovered a vulnerability in many Android devices’ standard internet browser app called ‘Browser’. The app was included with the operating system for older Android versions (prior to Android 4.4 KitKat).
Many devices still run these older versions of Android so the affected browser is included by default. Google has since discontinued ‘Browser’ as a standard offering in v4.4 however you can download it if required.
The vulnerability has been described as ‘shocking’ by some security experts. Hackers can potentially use it to bypass a critical webpage security convention known as Same-Origin Policy. This means that if you were to visit a malicious website using the affected Browser app, the malicious website could potentially access information sent by other websites you are also visiting in another browser window. An attacker could potentially use this to take over the session you are running on that browser. This has serious implications for your privacy.
If you use Browser (on some devices it is labelled ‘Internet’) on your Android device, you are advised to disable (or remove) it in your settings and choose an alternative browser. If you cannot disable it, use an alternative browser anyway.
You can check if you have Browser on your device, and in some cases, disable it by going to Settings > Apps > All > Browser (or 'Internet) > Disable.
Mozilla Firefox and Google Chrome both offer browser apps for Android which you can access from the Google Play store or directly from their websites.
A research vulnerability—so what?
Even if a vulnerability is discovered by a researcher rather than a hacker, once the researcher discloses it publicly, anyone can examine its technical elements and potentially exploit it. Typically, researchers will privately notify the software owner of the vulnerability, giving them time to address the issue before it is publicly disclosed. Even so, hackers will often quickly try to start using the vulnerability to attack people, in some cases within hours of it being published. Hackers know that if they act fast, there will be more people who have not heard of the issue or taken any action to address it.
These discoveries contributed to the establishment of a practice amongst researchers known as responsible disclosure.
One of the most effective things you can do is to apply patches and updates to your device as soon as they are available. Set your software to update automatically wherever possible to make this less of a chore.
The researcher who identified the issue has written about it in detail on his blog.
Stay Smart Online offers more advice about securing your mobile devices.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.