Skip to content ↓ | Skip to navigation ↓

Hackers have been actively exploiting a serious vulnerability in Android’s built-in web browser in an effort to hijack the accounts of many Facebook users.

The flaw, affecting Android devices running operating system versions below 4.4, gives attackers the capability to bypass the Same Origin Policy or SOP.

The CVE-2014-6041 vulnerability was originally disclosed in September 2014 by independent security researcher Rafay Baloch. However, recent findings revealed the bug continues to be exploited widely, likely due to the Metasploit code being publicly available, while many Android manufactures have yet to patch the bug.

“This attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site,” wrote Simon Huang, mobile security engineer.

Huang further explains:

“This page contains obfuscated JavaScript, which includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div, while the inner frame has a size of one pixel.”

According to Trend Micro, the JavaScript file that performs the SOP bypass gives attackers the ability to perform numerous tasks using the victim’s Facebook account, such as:

  • Adding Facebook friends
  • Liking and following Facebook pages
  • Modifying subscriptions
  • Authorizing Facebook apps to access the user’s public profile, friends lists, birthday, likes and friends’ likes
  • Steal the victim’s access tokens
  • Upload tokens to the attackers’ server
  • Collect victim’s location, HTTP referrer and other analytics data

In addition, researchers found that the attackers exploiting the code use an official BlackBerry app in order to take over the Facebook accounts. BlackBerry was notified of the findings and is working with Facebook and the researchers to mitigate future attacks.

Although Google released a patch for the security bug back in September, researchers believe millions of smartphones up to Android 4.4 KitKat remain vulnerable.

Users are recommended to disable the browser from their Android device by accessing Settings > Apps > All. After opening the Browser icon, users can select the option to disable the browser.

Read More Here…