<iframe name="test" src="http://www.example.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:alert(document.domain)','test')" >

A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4.SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites. For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser. Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser. The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account."Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.Rafay published the poc on his blog in August. However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.Stop using the default android browser, Use Google Chrome or Mozilla.