[guardian-dev] Android WebView SOP vulnerability (CVE-2014-6041)
Nathan of Guardian
nathan at guardianproject.info
Thu Sep 18 16:10:21 EDT 2014
On Thu, Sep 18, 2014, at 03:26 PM, Adam Kruger wrote:
On Thu Sep 18 2014 at 15:01:21, Nathan of Guardian wrote:
Orweb only allows on window at a time, and no tabs. I need to
dig deeper into the bug, but my hope was that we aren't
vulnerable because of that.
Our understanding is that content in iframes could violate SOP,
so even with one browser window/tab at a time there is a
problem.
Hmm, so the attack is that a MiTM somehow injects a malicious
iframe into a site you are visiting... but if they can do that,
then can't they already see the content you are access?
Who is creating the malicious iFrame and with what goal? What
am I missing?
Have you seen our work on Orfox? I think we are going to
accelerate a release there, and kill off all of our WebView
based efforts.
Yes. I'm looking forward to seeing an Orfox release.
Yes, and we should discuss if you want to do your own release
of it for Psiphon, or if we should somehow have our Netcipher
code check for Orbot and Psiphon, and prompt the user.
+n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140918/faf89722/attachment.html>
More information about the Guardian-dev
mailing list