Feeds

Android flaw poses drive-by data slurp risk

There's no patch for it, so users should take care

Security for virtualized datacentres

A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.

Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow malicious websites to snatch the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.

The weakness arises because of a combination of factors that mean that when a file from a content provider is opened, the built-in Android browser will run JavaScript without prompting the user.

JavaScript running in the context of a content provider can use xmlhttp (ie AJAX) requests to slurp up the contents of files (and other data). Redirects can then be used to post the data back to a malicious website.

"I came across the vulnerability while doing some independent security research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers," Cannon explained. "I was surprised that an HTML page with JavaScript could query the content providers and realised that this could be triggered by a malicious site."

Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.

"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.

Cannon suggests that Android users should either disable JavaScript or use an alternative browser - such as Opera - to mitigate against the risk of attacks pending a more comprehensive fix from Google. Another means of mitigating the vulnerability would be to use a potentially vulnerable handset without an SD card.

In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.

We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.

Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.