Patch now: Google and JetBrains warn developers of buggy IDE
Cross-site scripting flaw gives evil websites access to local files
Google has emailed Android developers advising them to update Android Studio, the official Android IDE, to fix security bugs. Other versions of the JetBrains IntelliJ IDE, on which Android Studio is based, are also affected.
The bugs are related to the built-in web server in the IDE. A cross-site request forgery (CSRF) flaw means that if the IDE is running and the developer visits a malicious web page in any browser, scripts on the malicious web page could access the local file system.
Another bug relates to what JetBrains calls "over-permissive CORS [Cross Origin Resource Sharing] settings." This allows attackers to get access to data saved by the IDE or open a project without permission.
Developers should update Android Studio to version 2.1.1 or higher. Users of other JetBrains IDEs will also find updates available for download. Affected products include CLion, PhpStorm, PyCharm, Rider, RubyMine and WebStorm, as well ® as IntelliJ IDEA.
Why do Android developers need a web server in their IDE? Some developers asked if it could be disabled completely. Apparently not. "The internal server is not exclusively used for web application development but also serves for other functionality such as the Internal Git SSH support, Http Authorization, Serving Documentation from JAR’s as well as providing a REST API endpoint," explains JetBrains developer advocate Hadi Hariri.
The good news is that there are no reports of exploitation of these vulnerabilities, but that could change, so early patching is recommended. ®