This article is more than 1 year old

Choc Factory patches zero day Google for Work hack hole

Sysadmins told to lock down their Androids, also stop downloading random stuff

Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts.

MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device.

The flaw can be used to steal Google for Work credentials, according to the UK researcher.

"A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," Miller says in an advisory.

"Devices with Google Admin installed should not install any untrusted third party applications."

Miller says the problem occurs when the Google Admin app receives a URL from another installed application and loads it in a webview within its own activity.

Attackers using a file:// URL to link to a file that they controlled could use symbolic links to bypass the Same Origin Policy and hop the sandbox.

That attack is possible using any app on an Android device.

The hole was disclosed in March and extended after the Chocolate Factory acknowledged it passed its own hard 90-day patch-or-die deadline.

MWR Labs published after that deadline was then exceeded.

Google released an update on August 14 a day after the public disclosure labelling the holes under 'bug fixes'.®

More about

TIP US OFF

Send us news


Other stories you might like