Researchers: don't type password into Chrome on Android until patched

Security researchers are warning some Android users to steer clear of Chrome on Android for websites that require passwords until they’ve got the latest browser or OS. The question is which devices will get the updates?

Google in April fixed a bug that affected Chrome on Android 5.0 Lollipop and Android 4.4 KitKat that made the browser more susceptible to phishing attacks.

Independent security researcher Rafay Baloch discovered an issue in Android that would allow an attacker to create a fake URL in Chrome’s address bar. Though not the worst bug to affect a browser, it could have been used in a phishing attack to present false information in its address bar — one of the most important signals that people can use to distinguish a bogus site from a real one.

Baloch leaned on US security firm Rapid 7 and independent researcher Joe Vennix to report the issue to Google and got their help to develop a proof of concept that would sufficiently demonstrate the bug could be exploited.

“The Android security team responded to Rapid7 that, upon learning of the vulnerability, patches were committed to both KitKat (4.4.x) and Lollipop (5.0.x) main distributions,” said Tod Beardsley, a Metasploit engineer at Rapid7.

The patches were serious enough for Google to release fixes for them in April for both versions of Android, which today account for half of more than one billion Android handsets in use.

Rafay explains that an attacker could spam a link to a page that was designed capture credentials, for example, for a Google account. If the recipient was on an Android device with Chrome installed, the browser would then open and the address bar would appears as if it were connecting to a real Google domain. However, the user would actually be communicating with a site of the attacker’s choice.

Beardsley told that the bug is not particularly impressive, but noted that it could be a very valuable tool in a targeted phishing campaign.

“In terms of seriousness, the address bar is supposed to be one of the elements of a browser that a user can trust, absolutely. It's where the lock icon shows up and it's how the browser lets you know what domain you're on. So, violating that trust is pretty serious. However, the vulnerability only helps an attacker establish credibility with the victim. It's useful for a convincing phishing page, for example, but it doesn't get you any of the user's secrets, doesn't provide code execution, nothing like that,” said Beardsley.

The real issue for the other 50 percent of Android users below KitKat could be that they don't get the an update.

"The implication does appear that Chrome on these older platforms will not be seeing a patch," he said.

Android users with the latest Nexus devices or Android One devices do get updates from Google directly, while updates for many other devices go through carriers or handset makers first.

“On Android 4.4 (KitKat), the browser rendering component is part of the operating system, so the browser and the OS is essentially the same thing. You cannot update the WebView component without an OS update,” he said.

“On Android 5.0 (Lollipop), the rendering engine is updatable via a Play Store update without updating the OS."

Beardsley said that bug is "technically a browser issue”, even though it can only be explained by the Android version.

The good news is that other Android applications are unlikely to be affacted.

“This is very specific to the browser, and not the underlying components,” said Beardsley.

Rapid7 however urges Android users to err on the side of caution if using their Android device for online banking or signing into important accounts like their Gmail.

“In the event that patches are unavailable for a particular handset or carrier, users are advised to avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available,” Beardsley said on Rapid7’s disclosure.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags patchessecurity updateAndroidvulnerabilitysecurity researchersKitKatchromeCSO AustraliafixesIT NewspasswordRapid7

More about CSOEnex TestLabGoogleRapid7Rapid 7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place