*# Disclosure Date:* 30/01/2014
*# Author: *Keith Makan
*# Vendor or Software Link:*
https://play.google.com/store/apps/details?id=com.jiubang.browser&hl=en

*# Version:* 1.16
*# Tested on:* Android 3.2.1 (HTC Flyer)
*# Tools :* Drozer, Bash

*Description*

Next Browser for Android (version 1.16) suffers from critical information
disclosure vulnerabilities in which applications with no granted
permissions are capable of gaining access to detailed information about a
victim's browsing history. Another vulnerability stemming from the same
issue also allows unauthorized corruption/modification of the browsing
history data.

*Impact*

Unauthorized applications are capable of abusing this vulnerability to leak
data about a victims browsing history. Further more, seeing that this
vulnerability occurs in a browser, attackers could exploit this
vulnerability to force victims to visit malicious sites---should they be
visited from their history.

Currently an estimated  5,000,000 - 10,000,000 installs are affected.

*Timeline*

   1. Original Disclosure 30/01/2014
   2. -- No Response noted 08/02/2014
   3. Public Advisory 09/02/2014

*PoC:*

Browser History Leak : http://i.imgur.com/vJGSh22.png

Browser History Overwrite : http://i.imgur.com/17cvsb2.png
-- 
<Keith k3170makan <http://about.me/k3170makan> Makan/>