Critical Same Beginning Policy Bypass Flaw Constitute Inwards Samsung Android Browser

Influenza A virus subtype H5N1 critical vulnerability has been discovered inwards the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could permit an assailant to pocket information from browser tabs if the user visits an attacker-controlled site.

Identified every bit CVE-2017-17692, the vulnerability is Same Origin Policy (SOP) bypass number that resides inwards the pop Samsung Internet Browser version 5.4.02.3 in addition to earlier.

The Same Origin Policy or SOP is a safety characteristic applied inwards modern browsers that is designed to arrive possible for spider web pages from the same website to interact piece preventing unrelated sites from interfering amongst each other.

In other words, the SOP makes certain that the JavaScript code from i rootage should non hold out able to access the properties of a website on to a greater extent than or less other origin.

The SOP bypass vulnerability inwards the Samsung Internet Browser, discovered yesteryear Dhiraj Mishra, could permit a malicious website to pocket data, such every bit passwords or cookies, from the sites opened yesteryear the victim inwards unlike tabs.

"When the Samsung Internet browser opens a novel tab inwards a given domain (say, google.com) through a Javascript action, that Javascript tin come upwards inwards afterward the fact in addition to rewrite the contents of that page amongst whatever it wants," researchers from safety theater Rapid7 explained.

"This is a no-no inwards browser blueprint since it way that Javascript tin violate the Same-Origin Policy, in addition to tin straight Javascript actions from i site (controlled yesteryear the attacker) to human activity inwards the context of to a greater extent than or less other site (the i the assailant is interested in). Essentially, the assailant tin insert custom Javascript into whatever domain, provided the victim user visits the attacker-controlled spider web page first."

Attackers tin fifty-fifty snag a re-create of your session cookie or hijack your session in addition to read in addition to write webmail on your behalf.

Mishra reported the vulnerability to Samsung, in addition to the companionship replied that "the field is already preloaded inwards our upcoming model Milky Way Note 8, in addition to the application volition hold out updated via Apps shop update inwards October."

Meanwhile, Mishra, amongst the assistance of Tod Beardsley in addition to Jeffrey Martin from Rapid7 team, besides released an exploit for Metasploit Framework.

Rapid7 researchers bring besides published a video demonstrating the attack.

Since the Metasploit exploit code for the SOP bypass vulnerability inwards the Samsung Internet Browser is straight off publicly available, anyone amongst less technical noesis tin role in addition to exploit the flaw on a large number of Samsung devices, virtually of which are nonetheless using the erstwhile Android Stock browser.