Sign up to our newsletter
Major vulnerabilities have been detected in Dolphin and Mercury Android browsers that could have provided cybercriminals with the opportunity to launch zero-day attacks.
This is considered to be a notable discovery. With both browsers growing in popularity – it is estimated that over 100 million downloads have been made between the two browsers – the fallout of a potential attack could be huge.
The flaws were uncovered by Benjamin Watson, a mobile security researcher who blogs under the pseudonym of rotlogix.
With regards to Dolphin, the expert wrote that the vulnerability makes it possible for attackers to perform remote code execution.
“An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser,” he explained.
“Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”
As for Mercury, Mr Watson said that the defect evident in this browser could allow a cybercriminal to remotely perform arbitrary reading and writing of files within its data directory.
This is made possible through a weakness in the implementation of the Intent URI scheme – because of this, an attacker can “invoke private activities through a crafted HTML page”.
Also observed in Mercury was a path traversal vulnerability. This was found within a custom web server used to support the browser’s Wi-Fi transfer feature. The anomaly meant that he could read data within its data directory.
“This was a great find in the sense that it meant I could essentially download and exfiltrate files being stored by the browser’s data directory,” Mr Watson discussed.
“It did not take me long as well to validate that I could write and overwrite files within the browser’s directory using the upload functionality and path traversal vulnerability.”
The security professional has recommended that users of Dolphin and Mercury immediately cease using the browser while patches are made. Both have been made aware of the vulnerabilities.
Following the publication of this story, Dolphin has been in touch with We Live Security and provided an update of the situation.
A member of the team said: “We found out the root cause of this issue and applied the fix. The fix should be available for all users to download today.”
Further details provided courtesy of Dolphin below:
1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.
2.Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure theme packages are safe before users apply them to Dolphin browser.
3. Dolphin previously did not perform security checks for our dynamic libraries. The new security patch will verify and make sure these library files are not modified before they are being loaded.
We’re committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at firstname.lastname@example.org.
This article was updated on 1st September to include Dolphin’s response (28th August).
Author Karl Thomas, ESET