THREE QUARTERS of Android mobes open to web page spy bug

  • 16 September 2014
  • 0 replies
  • 1 view

Userlevel 7
By Darren Pauli, 16 Sep 2014
 
A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites.
The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, according to researchers.
 Tod Beardsley (@TodB), a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".
"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.
"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.
"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf."
It worked using a malformed a Javascript: URL handler prepended with a null byte which allowed attackers to bypass the Same-Origin Policy in the defunct but still popular Android Open Source Platform (AOSP).
 
The Register/ full article here/ http://www.theregister.co.uk/2014/09/16/three_quarters_of_droid_phones_open_to_web_page_spy_bug/

0 replies

Be the first to reply!

Reply