As many as 75 per cent of Android devices and millions of users could have been affected by a glitch had it not been for Pakistani security researcher Rafay Baloch. According to media reports, Baloch helped Google identify the threat — dubbed a “privacy disaster” — in its Android Open Source Platform (AOSP) Browser.

In a blog posted earlier this month, Baloch revealed that all users who had not run the latest release, Android 4.4, were vulnerable to the “Same Origin Policy (SOP)” bypass. He found the vulnerability first in his QMobile Noir A20 running Android Browser 4.2.1, and later verified it by running tests on Sony Xperia, Samsung Galaxy, HTC Wildfire and some other sets.

“Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the JavaScript from one origin should not be able to access the properties of a website on another origin,” said Baloch on his blog.

Tod Beardsley of Rapid7, in another blog post, explains what this SOP bypass could do: “What this means is any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attacker’s site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely and read and write webmail on your behalf.

“This is a privacy disaster. The Same Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security,” writes Beardsley.

Google’s delayed response

Email correspondence between Google and Baloch indicated that the researcher had pointed out the bug in mid-August, but the tech giant had told him that they couldn’t reproduce the exploit. Google claimed to be “working internally on a suitable fix” only after Baloch posted about the threat on his blog, a report published in Security Week said.

The report also reveals that in the email correspondence Google refused to give Baloch any credit for pointing out the vulnerability, and said he didn't qualify for a reward or recognition. Baloch replied to the email saying it was "Google's fault for not being able to reproduce it".

"It was a serious security threat and should have been fixed immediately," Baloch said, speaking to The Express Tribune.