Android Browser UXSS Vulnerability

Wednesday, November 12, 2014 @ 03:11 PM gHale

There is a universal cross-site scripting (UXSS) vulnerability in the Android browser installed by default on Android smartphones, researchers said.

The flaw ended up identified and reported to Google by Pakistani security researcher Rafay Baloch. The researcher coordinated the disclosure of the bug with the security firm Rapid7, which released a Metasploit module.

Android Malware Tough to Remove
Images can Attack in Android Apps
Mobile Trojan Targets Android Devices
SMS Trojans Top Android Threats

The vulnerability, which affects the WebView component, occurs “when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme,” said Tod Beardsley, technical lead for the Metasploit framework.

An attacker can leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window, Rapid7 researchers said. The company said target URLs using X-Frame-Options do not suffer from the issue.

The security hole can suffer exploitation on all versions of the Android Open Source Platform (AOSP) browser, shipped by default with all versions of the Android operating system prior to 4.4 (KitKat). Android applications incorporating versions of WebView prior to 4.4 are can feel the impact, Beardsley said.

Google released the Android platform version numbers for November a few days ago, and the report shows that close to 70 percent of Android smartphones use pre-KitKat versions of the operating system.

While Google published a fix for this bug on September 30, most Android users will probably not get it because of the way the Android ecosystem works — unless they buy a new phone.

Purchasing a new smartphone just won’t work unless the user is due for an upgrade, so that means the issue can remain on the device for a period of time.

Leave a Reply

You must be logged in to post a comment.