Android Chrome Address Bar Spoofing (R7-2015-07)

Summary

Due to a problem in handling 204 "No Content" responses combined with a window.open event, an attacker can cause the stock Chrome browser on Android to render HTML pages in a misleading context. This effect was confirmed on an Android device running Lollipop (5.0). An attacker could use this vulnerability to convince a victim of a phishing e-mail, text, or link to enter private credentials to an untrusted page controlled by the attacker.

Credit

Rafay Baloch discovered the vulnerability, and worked with Joe Vennix to improve the proof of concept to demonstrate the vulnerability. Both are independent researchers who worked with Rapid7 to handle disclosure, per Rapid7's disclosure policy.

Exploitation

Rafay Baloch has provided a detailed analysis of this bug, including a proof of concept demonstration, at his site, Rafay's Hacking Articles. An example, unrendered version of the proof of concept from Joe Vennix can be seen at this JSFiddle.

Mitigation

The Android security team responded to Rapid7 that, upon learning of the vulnerability, patches were committed to both KitKat (4.4.x) and Lollipop (5.0.x) main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems.

In the event that patches are unavailable for a particular handset or carrier, users are advised to avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available.

Disclosure Timeline

  • Mon, Feb 09, 2015: Reported to security@android.com by Rafay Baloch
  • Thu, Mar 26, 2015: Disclosed to Rapid7 and Joe Vennix
  • Wed, Apr 01, 2015: Proof of Concept improved by Joe Vennix
  • Fri, Apr 03, 2015: Reported to security@android.com and CERT/CC by Rapid7
  • Tue, Apr 07, 2015: Vendor responds, patch availabile on Lollipop
  • Thu, Apr 30, 2015: Vendor responds, patch availabile on KitKat
  • Mon, May 18, 2015: Public disclosure