A Pakistani security researcher has helped Google fix a major security flaw in its Android operating system for smartphones, protecting the personal data of millions of smartphone users across the world.
Professional penetration tester and author of the book ‘Ethical Hacking and Penetration Testing Guide’, Rafay Baloch identified a major vulnerability in the Android Open Source Platform (AOSP) Browser and reported it to Google on August 13.
The 21-year-old also shared a proof of concept (PoC) for the security bug – which he defined as a Same Origin Policy (SOP) bypass – with the company but the California-based internet giant could not reproduce it for over two weeks, according to his email correspondence with the Android security team.
It was only after August 31, when the young techie released this information on his blog that Android was able to reproduce the bug and released patches for the AOSP Browser. The issue, however, was already picked up by the world’s major technology blogs and publications before the company could fix it.
“Right at the start of September, security researcher Rafay Baloch released details on an Android bug that has now been called a ‘privacy disaster’,” www.forbes.com said in a September 16 report.
The report added that anyone not running the latest release, Android 4.4, is affected. “That means as many as 75% of Android devices and millions of users could be open to attack,” it said quoting Google’s stats; though not all are likely to be using the affected browser, the report said.
The flaw can allow a bypass of the Same Origin Policy (SOP) protection, which is implemented in most browsers, such as Internet Explorer, Mozilla Firefox and Google Chrome, Baloch told The Express Tribune.
The SOP “stops malicious code from spilling over from one site to others open on separate tabs,” the Forbes report said.
“It was a really nasty bug. The mere fact that it potentially gives access to private data is a huge problem, after all it’s that data can then be used to commit further crimes against you,” it quoted Professor Alan Woodward, a security expert from the University of Surrey’s computing department, as saying.
This is not the first time Baloch has reported a major security flaw in a global technology company’s software. He has been participating in various bug bounty programmes to help several major internet corporations improve their internet security.
For example, he was rewarded with $10,000 in cash and a job offer from PayPal for finding remote code execution vulnerability along with several other high-risk vulnerabilities inside the online money transfer service.

Read the Full Article: Source – Tribune
http://tribune.com.pk/story/764713/online-security-pakistani-helps-google-avoid-privacy-disaster/

source not found