The stock browser of Android versions up to 4.3 is vulnerable to a serious bug which websites the content and cookies of other web pages via javascript can read. The Chrome browser and the stock browser in Android 4.4 are not vulnerable.
In the stock-browser in Android 4.3 and earlier appears to be the same origin policy, however, is not to be complied with when a unicode character for the javascript code is placed, making each site the data from an other website can read. For example, the content of the website to be read, which is sensitive in the case of, for example, webmaildiensten. Also may use session cookies from being hijacked, that an attacker can, in some cases, the session can take over.
Android 4.4, the latest stable Android version, is not vulnerable, and the same goes for the Chrome browser, which comes standard. In addition, Google with Nexus devices is no more stock browser. A lot of Android users run, however, old Android versions: only 24.5 percent of Android users have version 4.4, according to figures from Google itself.
Many older phones are no longer supported by the manufacturer, and receive no software updates more, so that they may be always vulnerable to the privacybug. The risk of the bug being abused is going to be, is large: there is now a module released for hackframework Metasploit, making it easy to attack.
Comments
(212)