A dangerous security bug found in as many as 70 percent of android devices could enable malware to hack users’ open browser tabs.
The vulnerability, found in the stock browser of Android releases under 4.4, allows sites controlled by hackers to inject code into other tabs that the user has open. Hackers could potentially access privileged user information including passwords, internet history and keyboard input.
Security researcher Ray Baloch discovered the bug and published a detailed explanation of its contents on Aug. 31. The bug breaks algorithms within the browser engine that prevent scripts from modifying resources that came from a different web page.
Although Google has been made aware of the security breach and released patches to the Android Open Source Project that address the issue, a more user-friendly solution for the masses has yet to roll out. In the meantime, internet security firm Metasploit has conducted its own independent research on the vulnerability and developed an update for its penetration-testing software that will detect the bug.
For users who are running versions of Android afflicted by this browser problem, the only solution appears to be avoiding the use of the default android browser. This browser can disabled from the settings menu for additional security. Google’s Chrome browser as well as Firefox are confirmed by Metasploit to be free of the security bug, although other third-party browsers based on same WebView system as the compromised browser may contain the same vulnerability.
