Researchers find vulnerability in Android browser
Researchers have found a cross-application scripting vulnerability in an earlier version of Googleâs Android that allows possible attacks on devices running the operating system. The vulnerability lets an attacker exploit Androidâs browser URL loading process and inject JavaScript to run and break the sand-boxing that protects sensitive information. âBy exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain... Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience," Roee Hay and Yair Amit of IBM Rational Application Security Research Group said in their security advisory. In their advisory, they said a malicious application can cause Androidâs browser to reach the maximum tab limit, then insert the JavaScript. A malicious app can also send two consecutive startActivity calls, causing Androidâs browser to load the first call that includes the attacked domain, and the second call that contains the javascript code. Hay and Amit said Android 2.3.4 and Android 3.1 have been found vulnerable. But they also noted Android 2.3.5 and 3.2 have been released, which incorporate fixes for the bugs. âPatches are available for Android 2.2. and will be released at a later date. Organizations can contact security@android.com for patch information," they added. â LBG, GMA News