Security researchers are warning some Android users to steer clear of Chrome on Android for websites that require passwords until they’ve got the latest browser or OS. The question is which devices will get the updates?
Google in April fixed a bug that affected Chrome on Android 5.0 Lollipop and Android 4.4 KitKat that made the browser more susceptible to phishing attacks.
Independent security researcher Rafay Baloch discovered an issue in Android that would allow an attacker to create a fake URL in Chrome’s address bar. Though not the worst bug to affect a browser, it could have been used in a phishing attack to present false information in its address bar — one of the most important signals that people can use to distinguish a bogus site from a real one.
Baloch leaned on US security firm Rapid 7 and independent researcher Joe Vennix to report the issue to Google and got their help to develop a proof of concept that would sufficiently demonstrate the bug could be exploited.
“The Android security team responded to Rapid7 that, upon learning of the vulnerability, patches were committed to both KitKat (4.4.x) and Lollipop (5.0.x) main distributions,” said Tod Beardsley, a Metasploit engineer at Rapid7.
The patches were serious enough for Google to release fixes for them in April for both versions of Android, which today account for half of more than one billion Android handsets in use.
Rafay explains that an attacker could spam a link to a page that was designed capture credentials, for example, for a Google account. If the recipient was on an Android device with Chrome installed, the browser would then open and the address bar would appears as if it were connecting to a real Google domain. However, the user would actually be communicating with a site of the attacker’s choice.
Beardsley told CSO.com.au that the bug is not particularly impressive, but noted that it could be a very valuable tool in a targeted phishing campaign.
“In terms of seriousness, the address bar is supposed to be one of the elements of a browser that a user can trust, absolutely. It's where the lock icon shows up and it's how the browser lets you know what domain you're on. So, violating that trust is pretty serious. However, the vulnerability only helps an attacker establish credibility with the victim. It's useful for a convincing phishing page, for example, but it doesn't get you any of the user's secrets, doesn't provide code execution, nothing like that,” said Beardsley.
The real issue for the other 50 percent of Android users below KitKat could be that they don't get the an update.
"The implication does appear that Chrome on these older platforms will not be seeing a patch," he said.
Android users with the latest Nexus devices or Android One devices do get updates from Google directly, while updates for many other devices go through carriers or handset makers first.
“On Android 4.4 (KitKat), the browser rendering component is part of the operating system, so the browser and the OS is essentially the same thing. You cannot update the WebView component without an OS update,” he said.
“On Android 5.0 (Lollipop), the rendering engine is updatable via a Play Store update without updating the OS."
Beardsley said that bug is "technically a browser issue”, even though it can only be explained by the Android version.
The good news is that other Android applications are unlikely to be affacted.
“This is very specific to the browser, and not the underlying components,” said Beardsley.
Rapid7 however urges Android users to err on the side of caution if using their Android device for online banking or signing into important accounts like their Gmail.
“In the event that patches are unavailable for a particular handset or carrier, users are advised to avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available,” Beardsley said on Rapid7’s disclosure.
This article is brought to you by Enex TestLab, content directors for CSO Australia.