Wednesday, October 8, 2014

Android Browser Privacy Flaw

A vulnerability in the default browser app on all  Android devices may expose private data from one website to another.  This could allow an attack in one browser window to steal sensitive and private information from another window.

The flaw, known as CVE-2014-6041, affects about 75 percent of Android systems and nearly 100 percent of the low-end prepaid phones (according to researchers at Rapid7's Metasploit research team.) The vulnerability is only present in the default browser app on Android versions prior to 4.4 (KitKat).  In Android, 4.4 and later, Google replaced the default browser with Chrome.

You can test your device for free on our website at: http://www.scomage.com/AndroidTest.asp.

Chrome and other third-party browsers do not seem to have the flaw.  However, some standard and third-party applications use the same code as the default browser and may be susceptible as well.

Google no longer supports the default Android browser and older phones are not likely to have support from their provider, so it appears that users of older versions are apparently out of luck.  The only helpful recommendation is to stop using the default browser. Chrome and other major browsers are suitable replacements.

If you have questions or additional concerns, please call our office at 908-458-9200.