A security researcher identified the bug not so long ago

Sep 17, 2014 09:29 GMT  ·  By

You might be familiar the name Rafay Baloch, a security researcher who discovered a new bug in Android just towards the beginning of this month.

As Forbes now points out, this bug has the potential to do a lot of damage privacy-wise to all devices that don’t run the latest Android 4.4 KitKat version.

Baloch actually calls the little monster “a privacy disaster,” and he might be right in using this bombastic statement to paint the situation.

All devices not running Android 4.4 KitKat stand to be affected

Google’s own statistics show that 75% of all Android devices are currently running some other version of the OS, and not Android 4.4 KitKat. Even so, not all products might be using the affected Android Open Source Platform (AOSP) Browser.

What does this newly-discovered privacy vulnerability cause in Android? Well, it gives a hacker the possibility to bypass the Same Origin Policy protection that is an integral part of all mobile browsers.

In theory, this protection should prohibit malicious or alien code from jumping from one website to another, but it appears that the system can now be breached.

Without this security, a hacker is actually given “permission” to read passwords, fiddle with a user’s session, and scrape web pages.

To prove that this can be done, Baloch hijacked a Samsung Galaxy S3, Motrola Razr, the Sony Xperia Tipo, HTC Evo 3D, and Wildfire.

Baloch contacted Google directly about the flaw, but their reaction was quite stern. They got back to him saying they couldn’t reproduce the exploit.

However, according to Baloch, once the news went public, Google immediately changed position and claimed that they were quite capable of dealing with the problem.

Google apparently fixed the issue

Subsequently, Google rolled out some patches for AOSP, but Baloch didn’t get any credit for contributing. Apparently, the tech giant told the researcher that he did not qualify for a reward or recognition.

Anyway, the good news is that Google patched the exploit, since there are lot of users still holding on to devices that are running older versions of the OS.

This happens because some device manufacturers have failed to roll out the Android 4.4 KitKat update to their products or because some users abstained from upgrading to the latest build.

Most of the times, when a new update arrives into the wild for a device, it can cause some serious issues to the product.

To give you an example, the Android 4.4.2 KitKat update for the Dell Venue 7 or Venue 8 set of tablets might cause some devices to brick, so some users have basically put off in doing so.