| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Mar 2015 20:16:02 +0100 From: "Securify B.V." <lists@...urify.nl> To: bugtraq@...urityfocus.com Subject: Viber for Android exposes insecure Javascript interface ------------------------------------------------------------------------ Viber for Android exposes insecure Javascript interface ------------------------------------------------------------------------ Yorick Koster, April 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Viber's Sticker Market is affected by a remote code execution vulnerability. This is possible because the Market is loaded over an insecure connection (HTTP) in a WebView that exposes an insecure Javascript interface. Exploiting this issue allows for the execution of arbitrary Java code within the privileges of the Viber app. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Viber for Android version 4.3.0.712. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ As of Viber version 5.2.0.2415 (released December 15, 2014) the target SDK was change from API Level 15 to API Level 19. Due to this, this issue is no longer exploitable devices running Android 4.2 (API Level 17) and newer. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20140402/viber_for_android_exposes_insecure_javascript_interface.html https://vimeo.com/102272421
Powered by blists - more mailing lists