Critical UXSS Vulnerability in DuckDuckGo Android Browser Exposes Users to Cross-Origin Attacks
A significant security flaw has been identified in the DuckDuckGo Android browser, posing a serious risk to user data and privacy. This Universal Cross-Site Scripting (UXSS) vulnerability, assigned a high-severity CVSS score of 8.6, enables malicious actors to execute arbitrary JavaScript code across different origins, effectively bypassing the Same-Origin Policy (SOP).
Understanding the Vulnerability
The root of this vulnerability lies in the AutoconsentAndroid JavaScript bridge, a native component integrated into web pages by the DuckDuckGo Android application (com.duckduckgo.mobile.android). This bridge is designed to facilitate seamless communication between the browser’s native Android code and the web content displayed. However, it was discovered that the bridge lacked proper security validations, allowing untrusted cross-origin iframes to interact with it without any authentication checks.
Specifically, the AutoconsentAndroid bridge processes incoming messages from any frame, including those from different origins, without verifying the sender’s origin or requiring authentication tokens. Upon receiving a message, the bridge’s internal evalhandler function processes it and invokes the webView.evaluateJavascript(…) method. In the context of Android WebViews, this method executes the provided JavaScript code directly within the top-level document, rather than the isolated iframe from which the message originated.
Exploitation Scenarios
This architectural flaw creates a scenario where a malicious iframe embedded within a legitimate webpage can exploit the AutoconsentAndroid bridge as a conduit. By sending a crafted message containing malicious JavaScript, the iframe can compel the top-level page to execute the code, effectively bypassing the Same-Origin Policy. This policy is a fundamental security mechanism designed to prevent scripts on one webpage from accessing sensitive data on another.
The implications of this vulnerability are severe. Attackers could steal sensitive information such as session cookies and authentication tokens, or inject malicious content into any trusted website the user visits through the vulnerable browser. Notably, this UXSS vulnerability can be exploited without any user interaction. Simply tricking a user into visiting a website containing a hidden malicious iframe is sufficient for an attacker to execute arbitrary code across different origins.
Discovery and Disclosure
The vulnerability was initially detailed in a Medium post by security researcher Dhiraj Mishra. Following responsible disclosure through HackerOne, DuckDuckGo promptly addressed the issue. The vulnerability has been patched in recent releases of the Android browser. Users and enterprise administrators are strongly advised to update their DuckDuckGo application to the latest available version to prevent potential exploitation.
Broader Implications
This incident underscores the critical importance of rigorous security practices in browser development, especially concerning components that bridge native code and web content. Ensuring proper origin validation and authentication mechanisms are in place is essential to prevent such vulnerabilities. Users should remain vigilant and keep their applications updated to mitigate the risks associated with such security flaws.
