Facebook Users Targeted By Android’s Same Origin Policy (SOP) Vulnerability
By Paul Liu
Monday, January 26th, 2015

The Same Origin Policy (SOP) bug, which is found in the older versions of Android operating system, is now being exploited by the hackers to target Facebook users. This was confirmed by a number of security companies who now say that the bug is more widespread than was previously thought. The SOP vulnerability was discovered by a Pakistani researcher last year and it is believed to infect all pre 4.4 versions of the Android operating system. Since older versions of Android are still being used by a large number of Smartphone and tablet users (according to estimates, about 75% of Android devices have pre 4.4 builds), the vulnerability has the potential to impact millions of Facebook users from all over the world.
The Same Origin Policy flaw affects Android Browser, a legacy browser which forms a part of AOSP (Android Open Source Platform) application package and was discontinued in favor of Chrome in version 4.4. The vulnerability affects the WebView component of the browser and prevents a webpage from accessing content from another site. The bug makes it possible to replace attributes of HTML objects with malicious content through scripting languages like Javascript. This allows the hackers to bypass the security measures in place and scrape cookies and data from the pages that are being accessed by the browser. As you can imagine, this could prove very dangerous since the attackers get easy access to all the data, including personal data, which is present on the page.
While the bug can extract data from any website, it is especially dangerous for Facebook users since it leads them to a dangerous Facebook page which in turn redirects to a malicious website. The site contains hidden JavaScript code and attempts to load a Facebook link in a small and almost invisible frame. Once the attackers are able to load their Facebook page for a particular user, they can add friends, modify Facebook subscriptions, like and follow pages, authorize apps to access the user’s profile, likes, birthday information as well as friends’ list; collect location and referrer information about the user and even steal the user’s Facebook access tokens. The interesting thing is that the user remains completely unaware of the actions being performed on his Facebook account since the site is programmed to display a totally blank page to visitors.
The SOP vulnerability also takes advantage of the trusted BlackBerry Facebook web app to propagate itself. Although Blackberry has mentioned that the issue is not related to exploit of its software or devices, it is working with Facebook and other stakeholders in order to fix it. Google has also released a patch for the bug but Android users who are using a very old version of the OS may not be able to update their browser or OS until their vendor releases a patched version. If you are using an old version of Android, you should either migrate to version 4.4+ immediately or stop using the Android browser altogether in order to remain safe from the vulnerability.
January 26, 2015