Mobile Embedded Browser XSS Woes

Thursday, December 8, 2011 @ 03:12 PM gHale


Using embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks.

Developers of mobile software have found it can be effective to embed a smartphone operating system’s web browser and then create their user interface using HTML, CSS and JavaScript, said Kyle Osborn, security researcher at AppSec Consulting.

RELATED STORIES
Targeted Attacks on Rise
Security Survey: Mobile Devices a Problem
Technology Push Puts Security on Back Burner
Attackers Winning Security Battle

The user interface is then more portable to other devices and is easier to customize using CSS. But this convenience comes at a cost as Osborn found some developers don’t clean the data sent to their HTML-based user interface.

In Google Earth on the iPad, he found it was possible to embed JavaScript in location information in a layer. Osborn said when the user browsed that location, his injected JavaScript then executed and displayed the /etc/hosts file.

Google fixed the vulnerability on the server side, without needing to modify the client software. The impact of the vulnerability is small as it does not break the sandboxing of the applications and it does not have access to the cookies and other information accumulated by normal browser sessions.

With more and more applications using embedded browsers, on mobile devices and on the desktop, the potential for exploits that will be able to make effective use of uncleaned data injected into the HTML front-end is increasing.

Skype’s iPhone application suffered from an XSS attack in September and its desktop application suffered one in July.

Application developers embedding a web browser into their application need to ensure they follow the same rules a web application developer should follow when sending data to the interface, ensure no HTML or script tags embed in the data.



Leave a Reply

You must be logged in to post a comment.