A new vulnerability that affects every Android device currently on the market was discovered and published today by Thomas Cannon, an information and security researcher. The hole in the way the Android browser treats Javascript allows a remote attacker to lure an unsuspecting victim to a malicious web page, which then downloads and executes rogue Javascript with access to the local SD card's file system. While the locations of files on the SD card needs to be known by the attacker in advance, it still represents a clear problem due to many popular applications storing data in the same location. Additionally, photo files tend to use similar naming schemes, and the attacker would be easily able to harvest some of your private pictures.

Google, notified by Thomas a few days ago, responded within 20 minutes and started working on a patch, expected to land on top of Gingerbread's final release. Even backporting the fix to all versions of Android does not sound horrible, until you realize that the real problem, lies in trying to distribute the fix to millions of devices running custom UIs, such as Sense, Motoblur, TouchWiz, etc. OS fragmentation's got nothing on carrier fragmentation, and a global vulnerability, such as this one, only demonstrates once again that Android should be left alone.

Here are the details of the attack, minus the exact implementation, which Thomas decided to pull from the Internet and keep between himself and Google:

While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card. It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.

The vulnerability is present because of a combination of factors. I’ve been asked nicely to remove some details from the following section, and as my intention is to inform people about the risk, not about how to exploit users, I’ve agreed:

  • The Android browser doesn’t prompt the user when downloading a file, for example "payload.html", it automatically downloads to /sdcard/download/payload.html
  • It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
  • When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
  • While in this local context, the JavaScript is able to read the contents of files (and other data).

Then, once the JavaScript has the contents of a file it can post it back to the malicious website. This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort.

One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.

A video demo of the proof of concept follows:

Your move, Google. How will you crack this nut and keep us all secure, without having to wait another year?

Source: thomascannon.net