[guardian-dev] Android WebView SOP vulnerability (CVE-2014-6041)
Hans-Christoph Steiner
hans at guardianproject.info
Tue Sep 23 12:20:49 EDT 2014
Hans-Christoph Steiner wrote:
>
>
> Nathan of Guardian wrote:
>>
>>
>> On Fri, Sep 19, 2014, at 12:16 PM, Hans-Christoph Steiner wrote:
>>> Yet another stark reminder that the web only really works with public
>>> information. Running applications on the web is really just a terrible
>>> idea
>>> from a security and privacy point of view.
>>
>> Well, that cuts off about 99% of the usefulness of it!
>>
>> Though now that Chrome can run Android apps, maybe we are moving back
>> into native/compiled/purpose-built binaries!
>
> Native apps can do networked stuff just fine, there is no need to use such a
> horribly insecure platform. Look at all the networked mobile apps, e.g.
> Facebook, etc.
>
> The companies that are pushing everyone to webapps are generally based on data
> mining business models (Google, Facebook, Yahoo, etc), so webapps are not
> designed with the user's security in mind. Here's more fun news on the topic:
> jquery.com got pwned and was serving malware:
> http://www.net-security.org/malware_news.php?id=2869
>
> Webs apps are structured around letting any random website execute code on
> your machine, and they can even include random code from any other website and
> transparently execute that on your machine.
>
> It is not surprising that Finspy, NSA, etc. all focus on using websites to pwn
> computers.
The fun doesn't stop at jquery.com! Doubleclick's ad servers were also pwned
to serve malware:
http://it-beta.slashdot.org/story/14/09/19/2232241/googles-doubleclick-ad-servers-exposed-millions-of-computers-to-malware
Everyone got a good ad blocker installed? Also, it is probably time for
turning javascript off by default on your browser, and just whitelisting it
when its required.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list