Android bug allowing SOP bypass a ‘privacy disaster,’ researcher warns

September 17, 2014 – 5:14 PM

Researchers are warning Android users of a major vulnerability that impacts a vital browser security mechanism called Same-Origin Policy (SOP).

The bug – called a “privacy disaster” by Tod Beardsley, an engineering manager at Rapid7 who blogged about the issue Monday – is serious because SOP, “the cornerstone of web privacy,” can be bypassed via exploitation, he explained.

While Google has patched the issue, Beardsley told in a Tuesday interview, it could still take months for many users to get the update through their device manufacturers or service providers. The bug, CVE-2014-6041, could allow a saboteur to circumvent the Android Open Source Platform (AOSP) browser’s Same-Origin Policy (SOP), a concern that impacts approximately 75 percent of Android users who run platforms older than version 4.4.

In addition to Android users with lower-end prepaid phones being vulnerable (where AOSP may be shipped as the default browser as opposed to Chrome, for instance), tech savvy users, who simply prefer the AOSP browser, could be targets for attackers, Beardsley said.


You must be logged in to post a comment.