[guardian-dev] Android WebView SOP vulnerability (CVE-2014-6041)
Tom Ritter
tom at ritter.vg
Fri Sep 19 08:55:36 EDT 2014
On 18 September 2014 15:10, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> On Thu, Sep 18, 2014, at 03:26 PM, Adam Kruger wrote:
> On Thu Sep 18 2014 at 15:01:21, Nathan of Guardian wrote:
>
> Orweb only allows on window at a time, and no tabs. I need to
> dig deeper into the bug, but my hope was that we aren't
> vulnerable because of that.
>
> Our understanding is that content in iframes could violate SOP, so even with
> one browser window/tab at a time there is a problem.
>
>
> Hmm, so the attack is that a MiTM somehow injects a malicious iframe into a
> site you are visiting... but if they can do that, then can't they already
> see the content you are access?
>
> Who is creating the malicious iFrame and with what goal? What am I missing?
The way I'd exploit it is by sending you a link via
email/txt/chatsecure when I think/hope you're on your phone with some
enticing subject like "Someone just dropped a ChatSecure 0day on
ExploitDB. That link would send you to a page with some nonsense text
that's really long for you to read through. Meanwhile I stuck a
couple of iframes hidden on the page that frame gmail, facebook,
whatever else is interesting. Anything you're logged in to would
allow full page extraction - all your emails, facebook info, etc etc.
Add with some crawling through the html and you could extract
near-limitless information so long as the victim kept the page open.
-tom
More information about the Guardian-dev
mailing list