Android browser vulnerable to "Cross Application Scripting"..!!

priyanshuit's picture


IBM researchers have found that it is possible for third party applications to inject JavaScript code into instances of the Android browser. According to a paper published by the researchers, the vulnerability exists in Android 2.3.4 and 3.1 and is believed to exist in earlier versions.
The browser holds sensitive information such as cookies, cache and history, and injected JavaScript could make it possible to extract that information, indirectly breaking the Android sandbox architecture. The attack exploits flaws in how the browser reacts to calls to view web pages from other applications.
The researchers outlined two scenarios, one where the maximum number of tabs was open and one where two requests to the browser were sent in quick succession. They offered a proof of concept for the latter scenario, which involved the browser being opened to a specified URL and then being asked to execute some JavaScript; a malicious application would be able to harvest information about how a user interacts with the site at the specified URL.
 
IBM demonstrates the proof of concept for Android Cross Application scripting



It is suggested that an attacking application could also install itself as a service, which would allow it to inject JavaScript into the currently opened tab which could make an attack more effective. However, an attack would require that the user had downloaded and installed a malicious application which used the technique. The bug behind the flaw, found in the Browser's onNewIntent() method, is fixed in Android 2.3.5 and 3.2 and patches will be made available for Android 2.2.x.

Source: H-Online

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
10 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

About the Author

priyanshuit's picture

Name
priyanshu

Last Name
sahay

Gender
Male

Website / Blog
http://www.hackersonlineclub.com

About me
Myself PRIYANSHU. >> Certified Cyber Law Expert >> Certified Cyber Security Expert >> Certified Ethical Hacker >> Working on Cyber Security, Ethical Hacking, Investigation, VAPT, Web Designing. Catch Me On >> Facebook: http://www.facebook.com/priyanshu.it Twitter: http://twitter.com/priyanshu_itech Email: priyanshu@cyber-india.in

Location
Delhi

Recent comments