Android Open Source Platform, the default browser for devices running versions earlier than Android 4.2, has a bug. But it's a bug so big it's considered a privacy disaster by experts.
The Same Origin Policy is a security mechanism used by browsers to ensure that origins don't access properties that don't belong to them. With the bug, however, malicious sites can implant JavaScript into other sites which can then read cookies and fields and grab information from these fields, among others.
"A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser," explained Rafay Baloch, the researcher who discovered the bug.
After uncovering the problem, Baloch got in touch with Google in August but the company brushed him aside, saying they can't reproduce the exploit. Only when Baloch posted his findings on his site and a Metasploit module (a tool hackers use for breaching systems) was developed did Google take him seriously although he was not credited for spotting the bug.
Google has since then released patches for the AOSP but the problem won't go away that easily. For starters, the Android browser doesn't update in the same way other browsers do, only getting the patches it needs to combat the bug through system updates. Browsers like Chrome, Firefox, and Opera, on the other hand, receive updates through the Play Store.
While Google has mostly avoided this bug by switching to Chrome as the default browser for Android 4.2 and higher, up to 50 percent of Android users are still using the old default browser. Google's own figures aren't any better either, saying that just 24.5 percent of those using Android are on version 4.4.
So far, the only real way to avoid the flaw in the AOSP is to not use Android's old default browser at all. Chrome, Firefox, and Opera all don't use the broken code that, well, broke AOSP so they should be safe to use even on devices running versions earlier than Android 4.2.