Google, notified by Thomas a few days ago, responded within 20 minutes and started working on a patch, expected to land on top of Gingerbread's final release. Even backporting the fix to all versions of Android does not sound horrible, until you realize that the real problem, lies in trying to distribute the fix to millions of devices running custom UIs, such as Sense, Motoblur, TouchWiz, etc. OS fragmentation's got nothing on carrier fragmentation, and a global vulnerability, such as this one, only demonstrates once again that Android should be left alone.
Here are the details of the attack, minus the exact implementation, which Thomas decided to pull from the Internet and keep between himself and Google:
While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.
The vulnerability is present because of a combination of factors. I’ve been asked nicely to remove some details from the following section, and as my intention is to inform people about the risk, not about how to exploit users, I’ve agreed:
- The Android browser doesn’t prompt the user when downloading a file, for example
"payload.html", it automatically downloads to
One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.
A video demo of the proof of concept follows:
Your move, Google. How will you crack this nut and keep us all secure, without having to wait another year?