Massive privacy flaw within Android Browser through harmful Javascript

18 Sep 2014

A reported new bug within Android’s native Browser app could potentially leak cookies, passwords and other saved data if accessed by a malicious code.

When this particularly harmful Javascript is inserted into Browser, usually sourced from one particular web page, it is then able to worm its way into other sites and gather data that is usually protected behind a no-access wall known as the Same Origin Policy (SOP), according to Ars Technica.

However, this bug, discovered by researcher Rafay Baloch, actually breaks through the SOP within the browser, which would allow the floodgates to open.

The biggest worry for internet search giant Google, the company behind the Android operating system, is that about 50pc of Android’s userbase uses the Browser app.

Browser has been created with open source modifying in mind for manufacturers, as opposed to Google’s own Chrome app.

Since Android 4.2, Browser has not been available on phones with Chrome appearing as the pre-installed browser, despite some users actively searching out and installing Browser onto the phone as preference over Chrome.

While Baloch has reported the fault to Google, the company had initially rejected the claim, only to reverse its decision, claiming it has the ability to fix the problem.

However, as Browser is not an app available through the Google Play Store, the only updates it can receive are through operating system upgrades which, for the most part, are not available to Android users below Jelly Bean 4.2.

Colm Gorey was a senior journalist with Silicon Republic