Android Browser All Versions - Address Bar Spoofing Vulnerability

Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.  

Android Stock Browser Address Bar Spoofing


Few months ago i discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions. 

The issue is caused due to the fact that the browser fails to handle 204 error "No Content" responses when combined with window.open event and therefore allowing us to spoof the address bar.

Steps To Reproduce


1) Visit http://jsfiddle.net/dy4swq4o/show/ with Unpatched Android Stock Browser.
2) click the "Click here to be redirected" button
3) Android browser will open a new tab with the browser pointing to "http://www.google.com/csi" in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on google.com. 
4) As soon as the victim enters his/her credentials, they are sent to attacker.com

Note: Please visit https://jsfiddle.net/dy4swq4o/ for unrendered version of the POC.

Proof of Concept

The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to https://www.google.com/csi (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it's hosted on attacker's domain name. 


Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 - 2000 to work much more consistently. This issue is due to the fact that,  In case if the timeout fires too soon (before the NO CONTENT response is received from gmail.com), the new page will just have a blank URL bar.

Credits

The proof of concept was initially created by me, however it was later modified and improvised by "Joe Vennix". I would like to sincerely thank "Tod Beardsley" from Rapid7 team for handling the disclosure for me. Kudos!

Mitigation

The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems."

Disclosure Timeline

Feb 09, 2015: Reported to security@android.com by Rafay Baloch
Mar 26, 2015: Disclosed to Rapid7 and Joe Vennix Wed
Apr 01, 2015: Proof of Concept improved by Joe Vennix Fri
Apr 03, 2015: Reported to security@android.com and CERT/CC by Rapid7 Tue
Apr 07, 2015: Vendor responds, patch availabile on Lollipop Thu
Apr 30, 2015: Vendor responds, patch availabile on KitKat Mon
May 18, 2015: Public disclosure