Menu
Android stock browser vulnerable to URL spoofing

Android stock browser vulnerable to URL spoofing

It's recommended that users install Chrome or another browser

Android browser bug allows attackers to spoof the URLs displayed in the address bar

Android browser bug allows attackers to spoof the URLs displayed in the address bar

A vulnerability in Android's default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.

Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.

The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.

Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.

The issue stems from the browser's improper handling of error 204 "No Content" when returned by servers. The researcher created a proof-of-concept exploit that redirects the browser to a non-existent resource on www.google.com, but then loads a spoofed Google Account login page.

The browser patch for Chrome was distributed to Android Lollipop users through Google Play, but the fix for Android 4.4 (KitKat) will require an OS update whose availability will depend on device manufacturers and carriers, said Tod Beardsley, security research manager at Rapid7, via email.

According to Google's official statistics, almost 40 percent of Android devices that access Google Play are running Android 4.4 and only 10 percent run Android 5.x.

Android 4.4 users who haven't received an OS update recently should avoid using the stock browser to access sites that require authentication, Rapid7 said in an advisory. Chrome or other browsers that are updated through Google Play can be good alternatives.

Users who run Android versions older than 4.4 should stop using the Android stock browser, also known as the AOSP browser, anyway because Google will no longer release security patches for it.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags mobile securityGooglescamspatchesExploits / vulnerabilitiesRapid7

Featured

Slideshows

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

The channel came together for the inaugural Reseller News Emerging Leaders Forum in New Zealand, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry. Hosted as a half day event, attendees heard from industry champions as keynoters and panelists talked about future opportunities and leadership paths and joined mentoring sessions with members of the ICT industry Hall of Fame. The forum concluded with 30 Under 30 Tech Awards across areas of Sales, Entrepreneur, Marketing, Management, Technical and Human Resources. Photos by Gino Demeer.

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019
Show Comments