Independent security researcher Rafay Baloch recently disclosed a serious vulnerability in Android’s built-in browser. The vulnerability allows the same origin policy of the browser to be violated. This could allow a dangerous universal cross-site scripting (UXSS) attack to take place.
To recap, in the context of a browser, a same origin policy restricts scripts so that one site cannot access another site’s properties which may include cookies and locations among others. Conceptually, it is a way of isolating sites from one another so that malicious code on one site cannot affect another site. All modern browsers include some form of this policy today.
A UXSS attack does not need for any vulnerability on the target website to be present. A user visiting a malicious URL is sufficient for the attack to be carried out. For example, the cookies of any site visited by the user in the past can be easily stolen. In other scenarios, the target site can be “modified” as if it had been compromised by an attacker, with all of these “modifications” happening within the user’s browser.
Baloch’s findings discussed how the null (U+0000) character could be used to exploit this vulnerability. Our own findings indicate, however, that other characters can be used as well. We believe that the first 33 Unicode characters (U+0000 up to U+0020) can be used. These consist of 32 control characters as well as the space character.
In our example below, we used the U+0020 character (space) to trigger a UXSS attack:
Figure 1. HTML source code of test site
Figure 2. Proof of concept
We decided to check how common this problem was by downloading the top 100 apps in Google Play with “browser” in their names. We found that 42 of these apps were vulnerable. However, other apps are at risk too. Apps that open websites within their app are also at risk. We were able to trigger this vulnerability from inside a messaging app as well.
Figure 3. Messaging app
Currently, there is not much that users can do to avoid this problem. They can opt to use browsers that are not affected by this vulnerability, such as Chrome or Firefox.
The more significant problem right now might be apps that show a website within their own user interface. Messaging apps, or other apps where users can view an arbitrary URL, are a particular problem if the site is opened within the app and not sent to the user’s default browser.
Older versions are affected by this problem except version 4.4 of Android (KitKat). KitKat only accounts for one-fourth of all Android users. As of posting, a patch has also been released by Google.