Recently, information security professionals revealed a new vulnerability in Android Web browser. The vulnerability can cause websites to gain unauthorized access to files stored on the smartphones' SD card. Google is reported to be investigating the vulnerability, first reported by Thomas Cannon. Information Security Professionals opine that vulnerabilities can be exploited to gain access to other files and data stored on the phone.


Ethical hacking and vulnerability assessment tests are used by the IT experts to identify the vulnerabilities. The cause of the vulnerability has been identified as the permission feature of the browser. The Android Browser does not prompt for permission before downloading files. The files are automatically saved in the SD card of the phone. JavaScript can be executed without permission, leading to disclosure of data. As such, devices have default or commonly used names for applications and files, exploits can gain access to music files, photographs, video files and other privileged information. When users visit a malicious webpage, the files on the SD card can be seized facilitating unauthorized access.

The vulnerability affects all the versions of Android including Froyo or Android 2.2 and popular handsets such as HTC Desire that run Froyo. Another team of information security professionals have reproduced the exploit on Google Nexus One and Samsung Galaxy tab.

Nevertheless, users of Android may control the vulnerability by disabling the JavaScript and using browsers that prompt for permission and restrict automatic download of files and applications.

The vulnerability is revealed at a time when security team is not Android is due to release its security update for Android 2.3 related to Gingerbread.