In the Dolpin and Mercury Browsers for Android are vulnerabilities that an attacker could execute arbitrary code on the system or the files can read the browser and for which no update for developers is available.Reported researcher "rotlogix".
Dolphin Browser is installed between 50 million and 100 million times and claims to be the best Android browser. To attack the vulnerability, an attacker must be between the Internet and the user, for example in a wireless network. Then, the attacker must wait until the user downloads a new Dolphin Browser-theme and install. Through themes users can customize the appearance of the browser.
The download takes place over HTTP, allowing an attacker to offer a customized theme. The evil theme then let the attacker run arbitrary code in the context of the browser. The developers of the Dolphin Browser have been notified, but an update is not yet available. Pending the update, users download the advice not new themes in a network environment that they do not manage. Another possibility is to use temporarily a different browser.
Mercury Browser
Another browser for Android where the investigator found problems in the Mercury Browser. This browser has been downloaded between 50,000 and 100,000 times. Through various vulnerabilities in the browser, an attacker can read files in the data directory of the browser and customize it. To carry out the attack, the user must open a specially prepared HTML file. Also in this case, there is still no solution is available. Users also are advised to remove the browser from their device and use an alternative.
Michael from Dolphin Browser here. Wanted to provide an update on this situation. We found out the root cause of this issue & applied the fix. Since the fix is currently undergoing a staged rollout, it will take at least 24 hours to apply the fix to all Dolphin users. If you would like to test the fix immediately, the APK is here -> https://www.dropbox.com/s/z6k2rmishvnwvwh/DolphinOne_EN__88_Release_Signed.apk?dl=0
ReplyDeleteHere is a quick update about this fix/issue:
1. Dolphin Themes were previously downloaded through HTTP protocol, when it should have been HTTPs protocol.
2. Dolphin did not previously verify the Theme package, which left room for exploitation. We added additional security checks to make sure Theme packages are safe before users apply them to Dolphin Browser.
3. Dolphin previously did not perform security checks for our dynamic libraries (e.g. libdolphin.so:). The new security patch will verify and make sure these library files are not modified before they are being loaded.
We're committed to making sure our users are secure and are doing our best to address any issues as they come up. If you do have any additional questions or concerns, you can reach out to us via social media or at support@dolphin.com.
Best,
Michael
Dolphin Team