Today's Paper | May 29, 2024

Pakistani researcher reveals privacy flaw in Android browsers

Dawn.com Published September 20, 2014
Rafay Baloch reported a security threat to Google in August that helped the internet giant prevent a ‘privacy disaster’. –– Photo Reuters/ File
Rafay Baloch reported a security threat to Google in August that helped the internet giant prevent a ‘privacy disaster’. –– Photo Reuters/ File

As many as 75 per cent of Android devices and millions of users could have been affected by a glitch had it not been for Pakistani security researcher Rafay Baloch. According to media reports, Baloch helped Google identify the threat — dubbed a “privacy disaster” — in its Android Open Source Platform (AOSP) Browser.

In a blog posted earlier this month, Baloch revealed that all users who had not run the latest release, Android 4.4, were vulnerable to the “Same Origin Policy (SOP)” bypass. He found the vulnerability first in his QMobile Noir A20 running Android Browser 4.2.1, and later verified it by running tests on Sony Xperia, Samsung Galaxy, HTC Wildfire and some other sets.

“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the JavaScript from one origin should not be able to access the properties of a website on another origin,” said Baloch on his blog.

Tod Beardsley of Rapid7, in another blog post, explains what this SOP bypass could do: “What this means is any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attacker’s site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely and read and write webmail on your behalf.

“This is a privacy disaster. The Same Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security,” writes Beardsley.

Google’s delayed response

Email correspondence between Google and Baloch indicated that the researcher had pointed out the bug in mid-August, but the tech giant had told him that they couldn’t reproduce the exploit. Google claimed to be “working internally on a suitable fix” only after Baloch posted about the threat on his blog, a report published in Security Week said.

The report also reveals that in the email correspondence Google refused to give Baloch any credit for pointing out the vulnerability, and said he didn't qualify for a reward or recognition. Baloch replied to the email saying it was "Google's fault for not being able to reproduce it".

"It was a serious security threat and should have been fixed immediately," Baloch said, speaking to The Express Tribune.

Read more

On DawnNews
Dawn News English
Comments (14) Closed
mba
Sep 20, 2014 12:37pm
yI fail to understand, why millions of users in this world offer their services to Google? The do quality control for Google (like our Mr. Baloch), they provide all sorts of contents - video-clips, musik, entertainment of all types - so that many million visit Google´s website. And, Google earn advertising money on the base of the number of visitors. You work with dedication for a dot-com-company in cyberspace and the company does not pay you anything, they don´t even need to know you. They earn mony, simply because you open their website.Welcome to the new virtual economy!
Recommend 0
Muhammad Abdullah
Sep 20, 2014 12:39pm
Google has demonstrated its ethnic discrimination policy. Had it been someone of "white" origin, the giant would've credited
Recommend 0
Ali
Sep 20, 2014 12:47pm
@Muhammad Abdullah TRUE.
Recommend 0
Talha
Sep 20, 2014 01:16pm
Well done Mr. Baloch. A guy with such talent should be working somewhere in the Ministry of Science and Technology.
Recommend 0
grumpy
Sep 20, 2014 01:50pm
@Muhammad Abdulla- when was the last time google gave sole credit to any person for reveling an android bug? There are currently over 25000 bugs waiting to be fixed right now; submitted by as many volunteers who do it to contribute, not for money or fame. And there is also a small army of volunteers who actually help fix these issues. You can check it here https://code.google.com/p/android/issues/advsearch Also people just need to update their browser and it this issue will be fixed. Google isn't too bothered about it because that version is old and already abandoned.
Recommend 0
Moiz Omar
Sep 20, 2014 01:51pm
We Pakistanis are talented. We have just as much capability as the citizens of any other country. Great job Mr. Baloch!!
Recommend 0
Arif A.Khan.
Sep 20, 2014 01:53pm
He should have barfgained with Google before identifying the fault.
Recommend 0
Feisal
Sep 20, 2014 02:00pm
The summary is that Mr. Baloch perhaps communicated the flaw to google before it was fixed. We can not be sure whether he detected it before or after google first found out.
Recommend 0
Feisal
Sep 20, 2014 02:01pm
@Muhammad Abdullah Sorry, there is no proof of your accusation!
Recommend 0
uzair
Sep 20, 2014 03:10pm
If google has no value of baloch then Pakistani IT sector should care of him.
Recommend 0
Techcrank
Sep 20, 2014 06:39pm
@grumpy I wouldl ike to correct you in this regard, I) Google credits researchers, they have both Android hall of fame as well as Google hall of fame. Fixing critical issues should be their utmost priority. You said " There are currently over 25000 bugs waiting to be fixed right now" - I would like to ask you, how many of them are critical?. And how many of them are security bugs?
Recommend 0
imad
Sep 20, 2014 06:50pm
Seems that Baloch failed to explain the flaw, therefore they could not reproduce it and acknowledge.
Recommend 0
Haider Rehman
Sep 20, 2014 07:29pm
"dubbed a “privacy disaster” — in its Android Open Source Platform (AOSP) Browser." Don't use default android browser people! Use Firefox; not only is it more featureful opensource, but also respects your privacy.
Recommend 0
Patriot
Sep 20, 2014 08:25pm
@Talha . I agree, but then he is not friends with either Maryam Nawaz nor Hamza Shahbaz.
Recommend 0

Latest Stories

dawn images site

Most Popular

01
02
03
04
05
06
07
08
09

Must Read

Opinion

Editorial

First steps
Updated 29 May, 2024

First steps

One hopes that this small change will pave the way for bigger things.
Rafah inferno
29 May, 2024

Rafah inferno

THE level of barbarity witnessed in Sunday’s Israeli air strike targeting a refugee camp in Rafah is shocking even...
On a whim
29 May, 2024

On a whim

THE sudden declaration of May 28 as a public holiday to observe Youm-i-Takbeer — the anniversary of Pakistan’s...
Afghan puzzle
Updated 28 May, 2024

Afghan puzzle

Unless these elements are neutralised, it will not be possible to have the upper hand over terrorist groups.
Attacking minorities
28 May, 2024

Attacking minorities

Mobs turn into executioners due to the authorities’ helplessness before these elements.
Persistent scourge
28 May, 2024

Persistent scourge

THE challenge of polio in Pakistan has reached a new nadir, drawing grave concerns from the Technical Advisory Group...