Results 1 to 1 of 1

Thread: Security Expert Warns of Android Browser Flaw

  1. #1
    Senior Member
    Join Date
    Mar 2009
    Location
    USA
    Posts
    5,552
    Thanks
    364
    Thanked 2,241 Times in 1,111 Posts
    Blog Entries
    8

    Security Expert Warns of Android Browser Flaw


    Android Data Stealing Vulnerability

    While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.

    The vulnerability is present because of a combination of factors. I’ve been asked nicely to remove some details from the following section, and as my intention is to inform people about the risk, not about how to exploit users, I’ve agreed:

    * The Android browser doesn’t prompt the user when downloading a file, for example "payload.html", it automatically downloads to /sdcard/download/payload.html
    * It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
    * When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
    * While in this local context, the JavaScript is able to read the contents of files (and other data).

    Then, once the JavaScript has the contents of a file it can post it back to the malicious website. This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort.

    complete article

    source - Android Data Stealing Vulnerability | thomascannon.net
    Last edited by Stomp_442; 11-28-2010 at 11:40 AM.

  2. 1 User Says Thank You Stomp_442 For This Useful Post


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •