Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser

Security is to protect all we have and a flaw in it comes in different ways. Such flaws cannot be forgiven since they could cause largest problems. We need to be ready and up to date for new problems.

A critical vulnerability has been discovered in the browser app comes pre-installed on vast sums of Samsung Android devices that could allow an attacker to grab data from web browser tabs if an individual trip an attacker-controlled site.

Identified as CVE-2017-17692, the vulnerability is Same Origins Policy (SOP) bypass concern that resides in the favourite Samsung WEB BROWSER version and earlier.

The Same Source Policy or SOP is a security feature applied in modern browsers that are designed to allow web pages from the same website to interact while preventing unrelated sites from interfering with one another. In other words, the SOP makes sure that the JavaScript code from one origin shouldn’t be able to access the properties of a website on another origin.

The SOP bypass vulnerability in the Samsung Internet Browser, uncovered by Dhiraj Mishra, could allow a malicious website to steal data, such as passwords or cookies, from the sites opened by the victim in various tabs.

“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a JavaScript action, that JavaScript can come in after the fact and rewrite the contents of that page with whatever it wants,” researchers from security company Rapid7 explained.

“This is a no-no in browser design since it means that JavaScript can violate the Same-Origin Policy, and can direct JavaScript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom JavaScript into any domain, provided the victim user visits the attacker-controlled web page first.”

Attackers can even snag a copy of your program cookie or hijack your session and read and write web mail on your behalf.

Mishra reported the vulnerability to Samsung, and the company replied that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.”

Meanwhile, Mishra, with the help of Tod Jeffrey and Beardsley Martin from Rapid7 team, released an exploit for Metasploit Framework also Rapid7 analysts have also posted a video demonstrating the attack.

Because the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a big number of Samsung devices, the majority of which are using the old Android Stock browser still.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: