# Disclosure Date: 30/01/2014
# Author: Keith Makan
# Vendor or Software Link: https://play.google.com/store/apps/details?id=com.jiubang.browser&hl=en
# Version: 1.16
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash
Description
Next Browser for Android (version 1.16) suffers from Multiple vulnerabilities in which applications with no permissions are capable of proliferating detailed information about a victims browsing history.
The vulnerabilities discussed here stem from a lack of permissions enforcement in the AndroidManifest.xml, here's code causing this issue:
<provider android:name=".provider.BrowserDataProvider" android:authorities="com.jiubang.browser.settings" />
The element above does not make use of the android:permission tag which means applications hosted on the victim's Android device do not require any permissions to access the affected data.
Currently an estimated 5,000,000 - 10,000,000 installs are affected.
# Author: Keith Makan
# Vendor or Software Link: https://play.google.com/store/apps/details?id=com.jiubang.browser&hl=en
# Version: 1.16
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash
Description
Next Browser for Android (version 1.16) suffers from Multiple vulnerabilities in which applications with no permissions are capable of proliferating detailed information about a victims browsing history.The vulnerabilities discussed here stem from a lack of permissions enforcement in the AndroidManifest.xml, here's code causing this issue:
<provider android:name=".provider.BrowserDataProvider" android:authorities="com.jiubang.browser.settings" />
The element above does not make use of the android:permission tag which means applications hosted on the victim's Android device do not require any permissions to access the affected data.
Impact
Unauthorized applications are capable of abusing this vulnerability to leak data about a victims browsing history. Further more, seeing that this vulnerability occurs in a browser, attackers could exploit this vulnerability to force vicitims to visit malicious sites---should they be visited from their history.Currently an estimated 5,000,000 - 10,000,000 installs are affected.
Proof of Concept
(with Drozer)
 |
| History leak attack |
 |
| History overwrite attack. You should notice that Duckduckgo replaced the Facebook URL |
Disclosure Timeline
- Original Disclosure 30/01/2014
- -- No Response noted 08/02/2014
- Public Advisory 09/02/2014
Tools
- DroidSploit - https://github.com/k3170makan/DroidSploit
- Drozer - https://github.com/mwrlabs/drozer
Comments
Post a Comment