Hole Fixed in Intel Crosswalk

Monday, August 1, 2016 @ 02:08 PM gHale


Intel fixed a bug in its Crosswalk Project library — which allows mobile developers to use HTML, CSS and Javascript to develop and deploy mobile apps across multiple platforms from the same codebase — can open users to man-in-the-middle attacks, researchers said.

The Crosswalk Project, created by Intel’s Open Source Technology Center, also packages the HTML assets provided by the developer and runs them inside a WebView on the device. The library also bridges some of the common APIs and services from the Javascript code in the WebView to the underlying platform. The project supports deployment to iOS, Windows Phone and Android.

RELATED STORIES
Ransomware Masked as Rockwell Update
‘Misbehaving’ Tor Nodes Found
Updated Tor Browser Releases
Hacking Costs on Decline

The discovered bug affects only the Android implementation. Developers used the framework to build popular apps, the most popular of which has been downloaded by over 10 million users.

“When a user makes a network request, an app using the Crosswalk project shows an initial error message if an invalid SSL certificate is found. If the user selects ‘OK,’ the app then accepts all future SSL certificates without validation,” said researchers at Carnegie Mellon University’s CERT Coordination Center (CERT/CC).

“The app does not make it clear that the dialog grants permanent permission to accept invalid certificates; the user is never prompted again,” the researchers said.

The researchers discovered the flaw while testing a third-party Android app using this library, and responsibly reported it to Intel so the industry giant can fix it before it suffers exploitation.

The issue has been resolved in Crosswalk stable 19.49.514.5. So, app developers should rebuild their apps using the latest Crosswalk versions – 19.49.514.5 (stable), 20.50.533.11 and 21.51.546.0 (beta), and 22.51.549.0 (canary).

Users of apps based on the Crosswalk framework should be watching for updates that fix the problem.