Huge security flaws have been discovered in the popular Dolphin and Mercury Android browsers and these could be exploited by hackers to gain remote access to files in the applications. The companies behind both tools have been contacted and made aware of the problem.
The vulnerabilities were found by security researcher Rotologix. He exposed the zero-day flaws in the web portals which allow hackers to carry out remote code execution. The Dolphin and Mercury browsers for Android each have a huge user base that could be exposed to the issues, the former having up to a 100 million downloads and the latter, almost 1 million.
Someone hacking into the software can control the Dolphin browser’s network traffic, which will allow them to modify the process of downloading and applying new themes. Attackers could then access the themes available in the app and replace them with an infected one. Entry can be gained once a person selects a theme and installs it.
By exploiting this function, the cyber-criminal can complete a random file write. This in turn can be transformed into code execution for the browser in the individual’s device. The Dolphin app hasn’t been updated since July, so it’s likely most of its users are vulnerable to the security risk.
Also See: Massive security vulnerabilities discovered in popular UC Browser
The Mercury browser is affected with an insecure Intent URI scheme implementation. A chain of flaws put together in the right order could allow a remote hacker to break into your app and invade your privacy. If an attacker breaks all the vulnerabilities down, they could perform arbitrary reading of files within the tool’s data directory.
Rotologix stated that he was able to download and withdraw files being stored in the browser’s database. He could further write and overwrite files stored there using the upload functionality and path traversal vulnerability which provide support for the Wi-Fi Transfer feature. The Mercury app was last updated on August 17.
The security enthusiast recommended that all consumers of the Dolphin and Mercury Android browsers to stop using them till the holes in the applications are fixed.