Critical Information Leakage Vulnerabilities in 'Next Browser' 1.16 for Android

# Disclosure Date: 30/01/2014
# Author: Keith Makan
# Vendor or Software Link: https://play.google.com/store/apps/details?id=com.jiubang.browser&hl=en
# Version: 1.16
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash


Description

Next Browser for Android (version 1.16) suffers from Multiple vulnerabilities in which applications with no permissions are capable of proliferating detailed information about a victims browsing history.

The vulnerabilities discussed here stem from a lack of permissions enforcement in the AndroidManifest.xml, here's code causing this issue:

   <provider android:name=".provider.BrowserDataProvider" android:authorities="com.jiubang.browser.settings" />

The element above does not make use of the android:permission tag which means applications hosted on the victim's Android device do not require any permissions to access the affected data.

Impact

Unauthorized applications are capable of abusing this vulnerability to leak data about a victims browsing history. Further more, seeing that this vulnerability occurs in a browser, attackers could exploit this vulnerability to force vicitims to visit malicious sites---should they be visited from their history.

Currently an estimated  5,000,000 - 10,000,000 installs are affected.

Proof of Concept 

(with Drozer)

History leak attack
History overwrite attack. You should notice that Duckduckgo replaced the Facebook URL

Disclosure Timeline

  1. Original Disclosure 30/01/2014
  2. -- No Response noted 08/02/2014
  3. Public Advisory 09/02/2014

Tools

*please note this application may suffer from more vulnerabilities, it is still currently under assessment* 

Comments