Influenza A virus subtype H5N1 vulnerability that a researcher planned to run to compromise an Android cellular telephone at a hacking challenger afterward this calendar week got squashed after Google fixed the underlying põrnikas inward the Android Market.
Scio Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, põrnikas inward the application bazaar because he didn't believe the vulnerability would qualify nether price of the Pwn2Own challenger that is scheduled to commencement on Wednesday. The “incredibly low-hanging naive persistent XSS” allowed attackers to to remotely install malicious apps on Android handsets past times tricking users into clicking a link on their phones or estimator browsers piece logged into a Google account.
Oberheide afterward learned that the vulnerability didn't run afoul of challenger rules, allowing him to collect $15,000 as well as a gratis handset if he was successful. But he of late discovered Google unopen the safety hole. The $1,337 awarded to Oberheide nether Google's bug bounty program, is piddling consolation, he wrote inward a blog post published on Monday.
Adding to his disappointment, Oberheide said, is the determination past times Google non to brand changes to a characteristic that allows users to install novel apps straight to their handsets piece browsing the Android Market on their estimator browsers. The characteristic offers no on-device notification warning users of what's most to hap as well as prompting them for permission. As a result, like remote execution vulnerabilities volition plague the mobile OS in 1 lawsuit to a greater extent than each fourth dimension for certain types of XSS bugs are discovered inward the Market.
“Instead of trying to play Whac-a-Mole amongst XSS bugs as well as trying to forbid them from cropping upwardly in 1 lawsuit to a greater extent than inward the Market, they bespeak to address this number at the root, where if there's whatever form of automated installs to the phone, at that topographic point should at to the lowest degree move around elementary on-device confirmation that the user has to click inward lodge to expire on amongst that installation,” Oberheide told The Register.
Oberheide said he has scoured the Market for other XSS bugs over the past times calendar week as well as and thus far has works life none that are suitable. XSS vulnerabilities are as well as thus common, though, that it wouldn't move surprising if to a greater extent than are discovered. Pwn2Own which runs Wed through Fri at the CanSecWest safety conference inward Vancouver, is at nowadays inward its 5th year.
In an email, a Google spokesman wrote: "Installation notifications appear on the device every bit an warning to users when the browser version of Android Market is used to install applications. It's non completely silent. It's too non clear that other XSS bugs volition move works life inward this detail machinery to drive like issues."
In response, Oberheide said that the users would meet the notification solely after the malicious app had been installed as well as solely if she happens to move looking at the cry presently after installation.
"However, given that nosotros trigger the install as well as execute our app when the user clicks our malicious link, it's trivial to origin the device as well as forthwith take whatever notifications that were present," he added.
The Google spokesman declined to elaborate.
Oberheide's study comes a calendar week after Google removed to a greater extent than than l apps from the Android Market after third-party researchers identified them every bit malicious. Google eventually zapped the data-stealing trojans from Android phones using a remote kill switch baked into to the mobile platform, simply there's piddling to forbid like attacks, since Google performs no vetting of apps submitted past times third-party developers.
News Source : Theregister
Share This :
comment 0 Comments
more_vert