Android Browser – Address Bar and Content Spoofing Vulnerability

android_address_content_spoofing- picateshackz.com

Address Bar Spoofing Vulnerability

Google security team themselves state that “We recognize that the address bar is the only reliable security indicator in modern browsers” and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.

Few months ago it discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions.

The issue is caused due to the fact that the browser fails to handle 204 error “No Content” responses when combined with window.open event and therefore allowing us to spoof the address bar.


Steps To Reproduce

1) Visit http://jsfiddle.net/dy4swq4o/show/ with Unpatched Android Stock Browser.


2) click the “Click here to be redirected” button

3) Android browser will open a new tab with the browser pointing to “http://www.google.com/csi” in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on google.com. 

4) As soon as the victim enters his/her credentials, they are sent to attacker.com.

Note: Please visit https://jsfiddle.net/dy4swq4o/ for unrendered version of the POC.


Proof of Concept

The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to https://www.google.com/csi (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it’s hosted on attacker’s domain name. 

android_address_content_spoofing- picateshackz.com

Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 – 2000 to work much more consistently. This issue is due to the fact that, In case if the timeout fires too soon (before the NO CONTENT response is received from gmail.com), the new page will just have a blank URL bar.


Credits

The proof of concept was initially created by “Rafay Baloch”, however it was later modified and improvised by “Joe Vennix” and “Tod Beardsley” from Rapid7 team handling the disclosure.

Mitigation

The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems.”

Kitkat Content Spoofing Vulnerability

The following is a low risk vulnerability that was found few months ago while testing the latest Android Stock browser on Android Kitkat. The issue that was found is commonly referred as Content spoofing Vulnerability or dialog box spoofing vulnerability which could be used to fake an alert message on a legitimate website.

In other words, we could display an alert box (Of our choice) on the site of our choice. Whereas in chrome, Firefox and other browser the alert box appears on correct tab.

POC

<a onclick=”test()”>CLICK</a>
<script> function test()
{ window.open(‘http://bing.com/’) setTimeout (function(){alert(“HACKED”);}, 5000) }
</script>

Upon executing the above code, the alert box would be displayed on bing.com.


android_address_content_spoofing- picateshackz.com

Technical Details

The issue resides inside of the ASOP browser, and more specifically due to the fact the webview fails to overwrite the WebChromeClient.onJsAlert() method which is responsible for displaying the javascript alert box and this way webview is not able to switch the JsAlert() to the correct tab.



You may also like...

Close