Older Android versions are prone to serious privacy bug

The stock browser of Android versions up to and including 4.3 is vulnerable due to a serious bug where websites can read the content and cookies of other web pages via javascript. The Chrome browser and the stock browser in Android 4.4 are not vulnerable.

The vulnerability was found earlier this month by security researcher Rafay Baloch. Normally, websites should only be able to perform operations on their own domain or subdomain; the so-called same origin policy, for example, prevents websites from reading cookies from other domains.

However, in the stock browser of Android 4.3 and earlier, the same origin policy appears not to be adhered to when a unicode character is placed in front of the javascript code, allowing each website to read the data from another website. For example, the content of the website can be read, which is sensitive in the case of, for example, webmail services. Session cookies can also be hijacked, allowing an attacker to take over the session in some cases.

Android 4.4, the latest stable Android version, is not vulnerable, as is the Chrome browser, which comes standard. In addition, Google no longer supplies the stock browser with Nexus devices. However, many Android users run old Android versions: only 24.5 percent of Android users have version 4.4, according to figures from Google itself.

Many older phones are no longer supported by the manufacturer and no longer receive software updates, so they may always remain vulnerable to the privacy bug. The risk that the bug will be exploited is high: a module has now been released for the hacking framework Metasploit, which makes it easy to set up an attack.