lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 17 Mar 2013 19:18:30 +0100
From: Jann Horn <jannhorn@...glemail.com>
To: IEhrepus <5up3rh3i@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: "Data-Clone" -- a new way to attack android
 apps

On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:
> "Data-Clone" -- a new way to attack android apps
> 
> Author: SuperHei@....knownsec.com [Email:5up3rh3i#gmail.com]
> Release Date: 2013/03/16
> References: http://www.80vul.com/android/data-clone.txt
> Chinese Version:
> http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/
> 
> --[ I - Introduction
> 
> This is a new way to attack android apps t,and i call it "Data-Clone
> Attack". it can bypass password authentication ,when user login the
> app and set "remember password"(some apps is define).
[...]
> --[ III - How to exploit
> 
> "How to get the contents of data" is key to the completion of the
> attack. some like this:
> 
> 1. Already have super privileges
> 
> under the root shell like the demo,u can bypass password
> authentication used "Data-Clone Attack".
> 
> 2. apps install on SDcard
> 
> the others have read  permissions to obtain the app's data.

I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.


> 3. Cross-site scripting on android
> 
> app + webview + xss(or webkit xcs vul) = "Data-Clone"
> 
> On older version of android , android app's xss or webkit xcs  vul can
> read the loacl file's contents :
> http://www.80vul.com/android/android-0days.txt
> 
> So the app's webview have the file read permissions to the app's data.
> when a app user visit a URL link,the data will Be cloned。
> 
> --[ IV - Disclosure Timeline
> 
> 2012/03/   - Found this
> 2012/12/10 - Report it to security@...roid.com
> 
> ......For a long time has passed......
> 
> 2013/03/16 - security@...roid.com do not have any response
> (maybe,because Google was not andriod's biological mother)
> 2013/03/16 -Public Disclosure

Or maybe because it's not exactly interesting that you can read an app's
data if you can execute code in its context?

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ