Leak in Chromium allowed access to private data via WebView on Android
There is a vulnerability in Chromium up to version 72 that could allow attackers on Android smartphones to access certain data, such as authentication tokens. The vulnerability can be exploited via Instant Apps.
In addition to authentication tokens, the leak also gave access to browsing history, security firm Positive Technologies told Venturebeat. The company doesn’t provide a roadmap for how malicious people can exploit the vulnerability, but it appears developers could include a payload with an Instant App on Android, which users open by clicking a link.
Google described the leak in a changelog as “inadequate enforcement of policy.” The leak is in Chromium, the engine for WebView in Android. A fix is included from Chromium version 73. Updates for Android devices come automatically through the Play Store. For Android devices without Google, this must come from the manufacturer or via sideloading. It is unknown whether malicious parties have exploited the vulnerability.
Since it is a leak in Chromium, some other browsers were also affected, such as Yandex browser and Samsung Internet browser. The vulnerability is known as CVE-2019-5765.