Feeds

Android flaw poses drive-by data slurp risk

There's no patch for it, so users should take care

The essential guide to IT transformation

A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.

Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow malicious websites to snatch the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.

The weakness arises because of a combination of factors that mean that when a file from a content provider is opened, the built-in Android browser will run JavaScript without prompting the user.

JavaScript running in the context of a content provider can use xmlhttp (ie AJAX) requests to slurp up the contents of files (and other data). Redirects can then be used to post the data back to a malicious website.

"I came across the vulnerability while doing some independent security research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers," Cannon explained. "I was surprised that an HTML page with JavaScript could query the content providers and realised that this could be triggered by a malicious site."

Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

"Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.

"This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.

Cannon suggests that Android users should either disable JavaScript or use an alternative browser - such as Opera - to mitigate against the risk of attacks pending a more comprehensive fix from Google. Another means of mitigating the vulnerability would be to use a potentially vulnerable handset without an SD card.

In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.

We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.

Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.