Tod Beardsley, technical Pb for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined alongside a recent Android WebView (Jelly Bean) flaw – creates a agency for hackers to quietly install whatever arbitrary app from the Play shop onto victims’ device fifty-fifty without the users consent.
USERS AFFECTED
The vulnerability affects users running Android version 4.3 Jelly Bean too before versions of Android that no longer have official safety updates from Android safety squad for WebView, a nub element used to homecoming spider web pages on an Android device. Also, users who convey installed 3rd political party browsers are affected.
According to the researcher, the spider web browser inwards Android 4.3 too prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, too Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.
UNIVERSAL CROSS-SITE SCRIPTING FLAW
In UXSS attacks, client-side vulnerabilities are exploited inwards a spider web browser or browser extensions to generate an XSS condition, which allows the malicious code to endure executed, bypassing or disabling the safety protection mechanisms inwards the spider web browser.
"Users of these platforms may every bit good convey installed vulnerable aftermarket browsers," Beardsley explains inwards a Universal Cross Site Scripting (UXSS) flaw was discovered inwards all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users' websites too bag cookies, session too login credentials.
The safety researcher demonstrated the number alongside JavaScript too Ruby code that reply from the play.google.com domain tin terminate endure generated without the appropriate XFO header.
METASPLOIT MODULE IS PUBLICLY AVAILABLE
Influenza A virus subtype H5N1 Metasploit module has been created too made world on Github inwards club to attention firm safety bods exam corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved yesteryear leveraging 2 vulnerabilities on affected Android devices:
- First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability introduce inwards versions of Android's opened upwards rootage stock browser (the AOSP Browser) every bit good every bit another browsers, prior to 4.4 (KitKat).
- Second, the Google Play store's spider web interface fails to enforce a X-Frame-Options: DENY header on roughly mistake pages, too therefore, tin terminate endure targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, every bit whatever application available on the Google Play shop tin terminate endure installed too launched on the user's device.
HOW TO PREVENT BEING EXPOSED
- Use a spider web browsers that are non susceptible to widely known UXSS vulnerabilities – such every bit Google Chrome or Mozilla Firefox or Dolphin. This could attention mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
- Another effective agency is to exactly logged out of the Google Play shop job concern human relationship inwards club to avoid the vulnerability, although this exercise is highly unlikely to endure adopted yesteryear almost of the users.
