The Android legacy SOP flaw which was discovered by Rafay Baloch, a Pakistani security researcher, affects the webview component of the Android default browser shipped with around 930,000 smartphones operating on Android 4.3 Jelly Bean and below. The vulnerability in the WebView component, occurs when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme. A potential hacker could leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window. The security hole can be exploited in all versions of the Android Open Source Platform (AOSP) browser which also known as Android stock or default browser. The vulnerability exists only in Android OS 4.3 Jellybean and below. Rapid7’s Joe Vennix and Rafay collaborated to put a Metasploit code for this vulnerability so that Google and other smartphone manufacturers could patch the flaw. However no patch not forthcoming. In between, Trend Micro Labs discovered that the Metasploit code was being exploited in the wild to hijack Facebook accounts of users who had smartphones running on Android 4.3 Jellybean and below versions. Now Rapid7 reached out to Google to patch this critical vulnerability and they received a shocking reply from Google. Google has stopped providing security patches for Android 4.3 jelly bean and below versions. This was the reply a security researcher from Metasploit received from Google. The surprised security researcher, Tod Beardsley from Rapid7 Metasploit community reported on the blogpost. To confirm his shock, Tod followed it up with the Google security himself and got the similar reply from Google security team. It seems that Google has stopped providing support only for the Webview component of old Android versions because when Tod enquired further he was told that, “the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.” The problem is that as of now only the Webview component of earlier Android versions is found to be vulnerable, and as proved by Trend Micro Labs, is being exploited in the wild. This is the component that should be patched in all versions as soon as possible so that Android smartphone users are not exploited due to the SOP vulnerability. This also means that a possible 930 million smartphones out there are waiting to be exploited by potential hackers and cybercriminals. According to Google’s latest Android distribution figures, 46 percent of Android devices run Jelly Bean, followed by KitKat at 39.1 percent. The remaining Android users are on Gingerbread (versions 2.3.3-2.3.7, used by 7.8 percent of handsets), Ice Cream Sandwich (versions 4.0.3 to 4.0.4, used by 6.7 percent), and old Froyo (version 2.2, 0.4 percent). Tod Beardsley stated that this as the most “bizarre” decision by Google. The smartphone manufacturers who have marketed these smartphones in yester years are no longer interested in providing patches/support to these build. So who will provide patches for this critical vulnerability and safeguard millions of Android smartphone users who have Android 4.3 and below, aboard their phones, is anybody’s guess.
