Android Vulnerable To Data Theft Exploit

  /     /     /  
Publicated : 22/11/2024   Category : security


Android Vulnerable To Data Theft Exploit


Google is preparing a fix for the bug that could allow attackers to use JavaScript to read files from handsets.



(click image for larger view)
Slideshow: RockMelt Social Web Browser Revealed
Google is working to patch a new data-stealing vulnerability that affects all versions of the Android operating system.
The vulnerability was discovered by security researcher Thomas Cannon. While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,
he said
on his blog. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability. In other words, a successful exploit wouldnt provide the attacker with root access to all device data.
Cannon said that after he emailed Google about the bug, the company made contact to discuss the issue just 20 minutes later. Google also asked him to withhold some details while it works on a fix. As my intention is to inform people about the risk, not about how to exploit users, Ive agreed, he said.
The vulnerability stems from the way Android saves downloaded files -- it always saves them in the same location. Using JavaScript, however, an attacker could automatically open any downloaded file, as well as read the contents of the file, or related files, albeit only inside the Android sandbox. While the attacker would need to know the name of the file she wanted to exploit, many applications, including the built-in camera, always save files with the same name.
Relaying any purloined files back to the attacker is likewise apparently easy. Once the JavaScript has the contents of a file it can post it back to the malicious website, said Cannon. This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort.
Google said it will patch the issue as part of its forthcoming
Gingerbread
(2.3) maintenance release of Android.
But Chester Wisniewski, senior security advisor at Sophos Canada,
warned
about older devices that, because of memory limitations, cant run the latest version of Android, such as the HTC Dream (G1) or
Motorola Devour
. Accordingly, they could be vulnerable in perpetuity to the attack, while even the latest devices will be vulnerable for at least the next couple of weeks.
As a workaround, he said, dont use the built-in Android browser. For now the only option is to choose third-party applications that are updated through the Android Market instead of using the embedded applications. In particular, he recommended Opera Mobile or Firefox 4 portable (currently in beta).

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Android Vulnerable To Data Theft Exploit