Android AirDroid Flaw

Wednesday, April 10, 2013 @ 01:04 PM gHale

A cross-site scripting (XSS) vulnerability exists in the browser version of AirDroid, a cloud management application for Google’s Android phones, according to a report on US-CERT.

There is no patch planned and there is no logical workaround right now, the report said.

Android Trojan Spreads through Botnet
3rd Party Apps a Bug Nightmare
Android Malware Hits Windows PCs
Trojan a Work of ‘Poetry’

If an attacker was able to get access to a phone with AirDroid installed, they’d be able to send a malicious text message to the browser associated with the account, according to a warning on the US-CERT’s Vulnerability Notes. Once that message comes up on the browser, the attacker could execute an XSS attack which in turn could lead to information leakage, privilege escalation and denial of service on the compromised machine.

AirDroid’s web interface,, doesn’t properly sanitize the code it gets via text messages. The app works in tandem with browsers such as Internet Explorer, Google Chrome, Mozilla Firefox and Apple’s Safari, to access files on Android devices from the web.

AirDroid already relies on using a safe HTTPS connection and a series of one-time QR codes/passwords to enable phone-to-computer sharing, which makes the Web interface oversight interesting. The security section of AirDroid’s website said the service only works while both devices are on the same WiFi network and that it limits log-ins.

The XSS attack “comes as an HTTP request from a legitimate user’s host,” which means it is coming from a phone that is already set up and authorized. There is no current workaround and as CERT notes, no practical solution to this problem.

Leave a Reply

You must be logged in to post a comment.