Privacy Disaster Bug Potentially Affects Every 3 Out of 4 Android Devices

Being termed as privacy disaster, the latest Android bug tin affect anyone not on the latest Android four.iv KitKat. The bug infects your Android device when you direct the browser to a especially designed website that injects infected javascript into your device. This bypasses SOP protection used past nigh of the browsers to protect such an infection from happening. According to Alan Woodward, security skillful University of Surrey, the exploit allows access to all of your private date potentially creating more issues for the victim using that data.

Considering the vulnerability is open to anyone not on the Android 4.4, the equation would make every three out of four Android users vulnerable to possible targets. Yet, the actual number is a lot lower because the privacy disaster bug only affects those using the Android Open Source Platform (AOSP) browser.

Android Privacy Disaster bug:

The bug was first identified by a security researcher Rafay Baloch who released the bug details sharing that he has been able to exploit a number of devices similar the Samsung Galaxy S3, Sony Xperia tipo, Motorola Droid Razr, HTC Evo 3D, and the HTC Wildfire. While Google has yet to comment on this rather critical issues, there are insecurities arising that the same flaw could be used to let a featherbed of the SOP protection used by other, more modernistic browsers.

An aggressor wanting to exploit this flaw would convince a user to visit their peculiarly-crafted website, which would run JavaScript code that prepended a URL handler (which points the browser to executable code) with a null byte as here "u0000javascript:", Rapid7'due south Tod Beardsley explained over email. This would then allow the hacker to inject whatsoever JavaScript they wanted across other sites.

From this indicate on, the assaulter can cause untold trouble for the victim. "Normally, I can't just choose to run JavaScript in whatsoever domain context I want. If I tin do that, I can practice all sorts of things – scrape web pages, read password fields, hijack a session," -Forbes

This possibility of the flaw enabling hacker to doall sorts of thingsis what has gotten the bug the rather extremist proper name of Privacy Disaster bug. The situation gets even more serious as the exploit code has been uploaded to Metasploit - a platform used past hackers to breach systems.

-Source of Privacy Disaster issues: Forbes