A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4.
What is Same Origin Policy?
SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites. For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser.
Same Origin Policy Bypass:
Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser. The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.
Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account.
Proof of Concept:
<iframe name="test" src="http://www.example.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >
"Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.
Metasploit Module:
Rafay published the poc on his blog in August. However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.
http://www.rapid7.com/db/modules/auxiliary/gather/android_stock_browser_uxss
This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.
What you should do?
Stop using the default android browser, Use Google Chrome or Mozilla.