Security flaw allows hackers to lift data from SD cards in Google handsets.

Discussion in 'Android News' started by cereal killer, Nov 30, 2010.

  1. cereal killer
    Offline

    cereal killer DF Administrator Staff Member

    Joined:
    Oct 29, 2009
    Messages:
    11,165
    Likes Received:
    893
    Trophy Points:
    558
    Location:
    Austin, TX
    Ratings:
    +910
    Current Phone Model:
    Nokia Lumia Icon
    [​IMG]

    Member EvilDobe tipped us off on a article he found that reveals a serious security flaw in the built-in browser.

    While most of us don't store anything of vital importance on our SD cards it's still a vulnerability that Google responded to within 20 minutes of hearing about the exploit. thomascannon.net reported: " I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue"

    Full details are below:

    A security officer has stumbled across a serious vulnerability in the built-in browser of Android smartphones that might allow hackers to lift data from SD cards in the Google handsets.

    Thomas Cannon discovered the JavaScript-related vulnerability outside his normal job as a corporate security officer. The hole would allow malicious websites to snatch the contents of any file stored on the SD card of an Android smartphone, provided the name and directory path of a targeted file is known beforehand.

    It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability, as explained in an advisory and video here.

    The weakness arises because of a combination of factors that mean that when a file from a content provider is opened, the built-in Android browser will run JavaScript without prompting the user.

    JavaScript running in the context of a content provider can use xmlhttp (ie AJAX) requests to slurp up the contents of files (and other data). Redirects can then be used to post the data back to a malicious website.

    "I came across the vulnerability while doing some independent security research and writing a JavaScript-based demo to show a weakness in the way some applications share data via Android's Content Providers," Cannon explained. "I was surprised that an HTML page with JavaScript could query the content providers and realised that this could be triggered by a malicious site."

    Cannon has gone public ahead of a update to the Android OS he reckons will be necessary to fix the problem in order to warns users of the risk. He was keen to stress he has no anti-Android axe to grind, going so far as to praise Google for its handling of the issue this far.

    "Google's response so far has been excellent," Cannon said. "I would not release an advisory while there is a chance that users will be able to receive a patch in a reasonable time frame. However in this case I don't believe they will be able to.

    "This is not because of Google's response process, but because of the way handsets have to receive OS updates from manufacturers. I therefore believe it better that users are given a chance to protect themselves at an early opportunity, or at least understand the risks," he said.

    Cannon suggests that Android users should either disable JavaScript or use an alternative browser - such as Opera - to mitigate against the risk of attacks pending a more comprehensive fix from Google. Another means of mitigating the vulnerability would be to use a potentially vulnerable handset without an SD card.

    In a statement, a Google spokesman acknowledged the problem and said it was in the process of developing and releasing a patch.

    We've developed a fix for an issue in the Android browser that could, under certain circumstances, allow for accessing files on a user's SD card. We're working to issue the fix to our partners and open source Android.
    Google's security team told Cannon that they are aiming for a fix to go into Gingerbread maintenance release. "They don't have a time frame for OEMs to release the update though, which is an issue, as that is the weak link," he added.



    What do our readers think? No big deal or does this need to be fixed asap?












    Source:The Register
     
  2. hoppermi
    Offline

    hoppermi Member

    Joined:
    Aug 10, 2010
    Messages:
    837
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Thanks CK

    Sent from my Droid using Tapatalk
     
  3. hoppermi
    Offline

    hoppermi Member

    Joined:
    Aug 10, 2010
    Messages:
    837
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    I wonder if maybe they can make the browser a market app, like they did for gmail and voice search, and fix the problem that way.

    Sent from my Droid using Tapatalk
     
  4. Kineo
    Offline

    Kineo Member

    Joined:
    Jan 13, 2010
    Messages:
    177
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Out in the stix
    Ratings:
    +1
    ck is there a way we can give them this idea so it can go to all android versions at once?
     
  5. Kineo
    Offline

    Kineo Member

    Joined:
    Jan 13, 2010
    Messages:
    177
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Out in the stix
    Ratings:
    +1
    ck is there a way we can give them this idea so it can go to all android versions at once?
     
  6. Darkseider
    Offline

    Darkseider Senior Member

    Joined:
    Mar 12, 2010
    Messages:
    1,863
    Likes Received:
    0
    Trophy Points:
    66
    Ratings:
    +0
    Meh. Unless the specific filename and location is known then it's no big deal. The only "known" files and locations are the default files placed on the SD card and that's it.
     
  7. iamlost87
    Offline

    iamlost87 Member

    Joined:
    Apr 5, 2010
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    Wouldn't you have to go to a malicious site in order to have that code execute? If you stick to trusted sites with filters on user-inputted code, id imagine you would be fine. If not, I guess its time to delete the pics of the woman. Lol
     
  8. bazar6
    Offline

    bazar6 Premium Member Theme Developer Premium Member

    Joined:
    Dec 15, 2009
    Messages:
    678
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    MD
    Ratings:
    +10
    Haha, I'm sure she'd like that..

    This doesn't really concern me tho, I've used Dolphin Browser since the first day I got my phone, the Verizon rep told me about it. Since then, I've set DB as my default, which the article claims I have nothing to worry about if you're cruising that way. And, like someone already said, you'd have to go to a malicious site. I know they're out there, but how common of a site would it be, and if it's that sort of site, would you really want to go to it on your phone (anything I think is suspicious/malicious, I use my mac).
     
  9. HarshReality
    Offline

    HarshReality Member

    Joined:
    Mar 22, 2010
    Messages:
    384
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Indiana
    Ratings:
    +0
    I wonder if the ROM boys will be doing an update just for the browser or release as a new version.... (Id prefer the first option)
     
  10. DroidMastar2
    Offline

    DroidMastar2 Member

    Joined:
    Dec 17, 2009
    Messages:
    171
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    JERSEY
    Ratings:
    +1
    Eh

    One false web click and you can end up on a malicious site... So it's not something that's hard to do... I never use the stock browser tho so It doesn't bother me. Also, I'm sure the malicious capabilities have been downplayed...
     
Search tags for this page

i use my droid without an sd is this secure?