A vulnerability has been found in the Android Browser that could potentially have serious privacy implications for its users. If the flaw in the browser is exploited correctly, a malicious third party could gain access to passwords, cookies, keyboard input, and more with a simple JavaScript injection.
The flaw involves the Android Browser's Same Origin Policy, which should prevent one website from gaining access to content from another website. As the researcher who discovered the bug, Rafay Baloch, has realized, if you craft your JavaScript code in a particular way, the Same Origin Policy can be ignored completely thereby giving the code free reign over browser content.
The vulnerability was initially reported to Google by Baloch, who told him that they couldn't reproduce the issue. However, Google has since begun listening after reports of the issue became more widespread, and currently they say they're working on a solution.
The Android Browser is a discontinued browser that forms part of the AOSP software package which is included with many smartphones. While the browser used to be the default in Android, since Android 4.2 Google has switched to Chrome, which is not vulnerable in the same manner. In Android 4.4 the last remaining portions of the Android Browser (embedded webpages in apps) were removed in favor of Chrome.
Despite the switch to Chrome, around half of the total Android user base still uses the Android Browser for one reason or another. Although Google is developing a fix to the problem, Android updates are typically quite slow at reaching all the necessary users, so many people could remain vulnerable for the foreseeable future.
If you're an Android user currently using the Android Browser, we recommend switching to an alternate browser to keep safe, such as Chrome (the Android default) or others like Firefox and Opera.