The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Same Origin Policy Bypass

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

March 30, 2019Mohit Kumar
Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure. Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge Browser —allow a remote attacker to bypass same-origin policy on victim's web browser. Same Origin Policy (SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other. In other words, if you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorized request on your behalf in order to steal your data, from othe
Critical "Same Origin Policy" Bypass Flaw Found in Samsung Android Browser

Critical "Same Origin Policy" Bypass Flaw Found in Samsung Android Browser

December 29, 2017Mohit Kumar
A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site. Identified as CVE-2017-17692 , the vulnerability is Same Origin Policy (SOP) bypass issue that resides in the popular Samsung Internet Browser version 5.4.02.3 and earlier. The Same Origin Policy or SOP is a security feature applied in modern browsers that is designed to make it possible for web pages from the same website to interact while preventing unrelated sites from interfering with each other. In other words, the SOP makes sure that the JavaScript code from one origin should not be able to access the properties of a website on another origin. The SOP bypass vulnerability in the Samsung Internet Browser, discovered by Dhiraj Mishra , could allow a malicious website to steal data, such as passwords or cookies, from the sites ope
Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

Comodo's so-called 'Secure Internet Browser' Comes with Disabled Security Features

February 03, 2016Unknown
Beware Comodo Users! Have you Safeguarded your PC with a Comodo Antivirus? Then you need to inspect your system for privacy and security concerns. First of all, make sure whether your default browser had been changed to " Chromodo " -- a free browser offered by Comodo Antivirus. If your head nod is " Yes ," then you could be at risk! Chromodo browser, which is supplied along with the installation of Comodo Anti-Virus Software and marketed as 'Private Internet Browser' for better security and privacy, automatically overrides system settings to set itself as your 'Default Browser.' And secondly, the main security concern about Comodo Antivirus is that the Chromodo browser has 'Same Origin Policy' (SOP) disabled by default. Google's security researcher Tavis Ormandy , recently shouted at Comodo for disabling SOP by default in its browser settings that violates one of the strongest browser security policy. Orm
Microsoft Internet Explorer Universal Cross-Site Scripting Flaw

Microsoft Internet Explorer Universal Cross-Site Scripting Flaw

February 04, 2015Swati Khandelwal
A serious vulnerability has been discovered in all the latest versions of Microsoft's Internet Explorer that allows malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials. UNIVERSAL XSS BUG WITH SAME ORIGIN POLICY BYPASS The vulnerability is known as a Universal Cross Site Scripting (XSS) flaw. It allows attackers to bypass the Same-Origin Policy, a fundamental browser security mechanism, in order to launch highly credible phishing attacks or hijack users' accounts on any website. The Same Origin Policy is one of the guiding principles that seek to protect users' browsing experience. SOP actually prevents one site from accessing or modifying the browser properties, such as cookies, location, response etc, by any other site, ensuring that no third-party can inject code without the authorization of the owner of the website. DEMONSTRATION Recently, a proof-of-concept exploit published by a group, known as Deusen, sho
Hacking Facebook Accounts Using Android 'Same Origin Policy' Vulnerability

Hacking Facebook Accounts Using Android 'Same Origin Policy' Vulnerability

December 29, 2014Wang Wei
A serious security vulnerability has been discovered in the default web browser of the Android OS lower than 4.4 running on a large number of Android devices that allows an attacker to bypass the Same Origin Policy (SOP). The Android Same Origin Policy (SOP) vulnerability ( CVE-2014-6041 ) was first disclosed right at the beginning of September 2014 by an independent security researcher Rafay Baloch. He found that the AOSP (Android Open Source Platform) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass bug that allows one website to steal data from another. Security researchers at Trend micro in collaboration with Facebook have discovered many cases of Facebook users being targeted by cyber attacks that actively attempt to exploit this particular flaw in the web browser because the Metasploit exploit code is publicly available, which made the exploitation of the vulnerability much easier. The Same Origin Policy is one of the guidin
New Android Browser Vulnerability Is a “Privacy Disaster” for 70% Of Android Users

New Android Browser Vulnerability Is a "Privacy Disaster" for 70% Of Android Users

September 16, 2014Mohit Kumar
A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users' open websites, and there is now a Metasploit module available to easily exploit this dangerous flaw. The exploit targets vulnerability ( CVE-2014-6041 ) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch, but there has not been much public discussion on it. The Android bug has been called a " privacy disaster " by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is " sufficiently shocking ." " By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser secur
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.