Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought

Independent security researcher Rafay Baloch recently disclosed a serious vulnerability in Android’s built-in browser. The vulnerability allows the same origin policy of the browser to be violated. This could allow a dangerous universal cross-site scripting (UXSS) attack to take place.

An attacker could potentially use an IFRAME to load a legitimate site for which the victim has an account. Due to the disclosed bug he now has the ability to run Javascript in the context of that site, something he should not be able to do due to the Same Origin Policy (a site can only use code to access its own content). The victim would then run the risk of possibly having the data they input on that legitimate website, or cookies associated with it, stolen by the attacker.

To recap, in the context of a browser, a same origin policy restricts scripts so that one site cannot access another site’s properties which may include cookies and locations among others.  Conceptually, it is a way of isolating sites from one another so that malicious code on one site cannot affect another site. All modern browsers include some form of this policy today.

A UXSS attack does not need for any vulnerability on the target website to be present. A user visiting a malicious URL is sufficient for the attack to be carried out. For example, the cookies of any site visited by the user in the past can be easily stolen. In other scenarios, the target site can be “modified” as if it had been compromised by an attacker, with all of these “modifications” happening within the user’s browser.

Baloch’s findings discussed how the null (U+0000) character could be used to exploit this vulnerability. Our own findings indicate, however, that other characters can be used as well. We believe that the first 33 Unicode characters (U+0000 up to U+0020) can be used. These consist of 32 control characters as well as the space character.

In our example below, we used the U+0020 character (space) to trigger a UXSS attack:

Figure 1. HTML source code of test site

Figure 2. Proof of concept

We decided to check how common this problem was by downloading the top 100 apps in Google Play with “browser” in their names. We found that 42 of these apps were vulnerable. However, other apps are at risk too. Apps that open websites within their app are also at risk. We were able to trigger this vulnerability from inside a messaging app as well.

Figure 3. Messaging app

Currently, there is not much that users can do to avoid this problem. They can opt to use browsers that are not affected by this vulnerability, such as Chrome or Firefox.

The more significant problem right now might be apps that show a website within their own user interface. Messaging apps, or other apps where users can view an arbitrary URL, are a particular problem if the site is opened within the app and not sent to the user’s default browser.

Older versions are affected by this problem except version 4.4 of Android (KitKat). KitKat only accounts for one-fourth of all Android users. As of posting, a patch has also been released by Google.


Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought

Read more: Same Origin Policy Bypass Vulnerability Has Wider Reach Than Thought

Story added 30. September 2014, content source with full text you can find at link above.