Android stock browser vulnerable to URL spoofing

It's recommended that users install Chrome or another browser

Android browser bug allows attackers to spoof the URLs displayed in the address bar

Android browser bug allows attackers to spoof the URLs displayed in the address bar

A vulnerability in Android's default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.

Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.

The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.

Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.

The issue stems from the browser's improper handling of error 204 "No Content" when returned by servers. The researcher created a proof-of-concept exploit that redirects the browser to a non-existent resource on www.google.com, but then loads a spoofed Google Account login page.

The browser patch for Chrome was distributed to Android Lollipop users through Google Play, but the fix for Android 4.4 (KitKat) will require an OS update whose availability will depend on device manufacturers and carriers, said Tod Beardsley, security research manager at Rapid7, via email.

According to Google's official statistics, almost 40 percent of Android devices that access Google Play are running Android 4.4 and only 10 percent run Android 5.x.

Android 4.4 users who haven't received an OS update recently should avoid using the stock browser to access sites that require authentication, Rapid7 said in an advisory. Chrome or other browsers that are updated through Google Play can be good alternatives.

Users who run Android versions older than 4.4 should stop using the Android stock browser, also known as the AOSP browser, anyway because Google will no longer release security patches for it.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags mobile securityGooglescamspatchesExploits / vulnerabilitiesRapid7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?