« Close Encounters of the Third Kind | Main | The Ultimate Web App Security Scanner Comparison Published - AppScan Standard Leads the Pack »

August 02, 2011

Android Browser Cross-Application Scripting (CVE-2011-2357)

Recently we detected a security vulnerability in Android’s Browser which can be exploited by a non-privileged application in order to inject JavaScript code into the
context of any domain; therefore, this vulnerability has the same implications as global XSS, albeit from an installed application rather than another website.

Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug.  Patches are available for Android 2.2.* and will be released at a later date. Organizations can contact security@android.com for patch information.

The complete advisory can be found here.

Demo of the PoC:

 

We would like to thank the Android Security Team for the efficient and quick way in which they handled this security issue.

Posted by on August 02, 2011 in Research |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835130c5153ef014e8a435ae5970d

Listed below are links to weblogs that reference Android Browser Cross-Application Scripting (CVE-2011-2357):

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.