Vulnerabilities / Threats
11/29/2010
10:46 AM
50%
50%

Android Vulnerable To Data Theft Exploit

Google is preparing a fix for the bug that could allow attackers to use JavaScript to read files from handsets.

RockMelt Social Web Browser Revealed
(click image for larger view)
Slideshow: RockMelt Social Web Browser Revealed

Google is working to patch a new data-stealing vulnerability that affects all versions of the Android operating system.

The vulnerability was discovered by security researcher Thomas Cannon. "While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card," he said on his blog. "It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability." In other words, a successful exploit wouldn't provide the attacker with root access to all device data.

Cannon said that after he emailed Google about the bug, the company made contact to discuss the issue just 20 minutes later. Google also asked him to withhold some details while it works on a fix. "As my intention is to inform people about the risk, not about how to exploit users, I've agreed," he said.

The vulnerability stems from the way Android saves downloaded files -- it always saves them in the same location. Using JavaScript, however, an attacker could automatically open any downloaded file, as well as read the contents of the file, or related files, albeit only inside the Android sandbox. While the attacker would need to know the name of the file she wanted to exploit, many applications, including the built-in camera, always save files with the same name.

Relaying any purloined files back to the attacker is likewise apparently easy. "Once the JavaScript has the contents of a file it can post it back to the malicious website," said Cannon. "This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort."

Google said it will patch the issue as part of its forthcoming Gingerbread (2.3) maintenance release of Android.

But Chester Wisniewski, senior security advisor at Sophos Canada, warned about older devices that, because of memory limitations, can't run the latest version of Android, such as the HTC Dream (G1) or Motorola Devour. Accordingly, they could be "vulnerable in perpetuity" to the attack, while even the latest devices will be vulnerable for at least the next couple of weeks.

As a workaround, he said, don't use the built-in Android browser. "For now the only option is to choose third-party applications that are updated through the Android Market instead of using the embedded applications." In particular, he recommended Opera Mobile or Firefox 4 portable (currently in beta).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.