Earlier today, a massive security exploit involving Samsung’s default SwiftKey keyboard spread across the internet like wildfire showing the dangers of manufacturers pre-loading third-party software on their phones. The vulnerability was pretty obscure and wouldn’t affect everyone with a Samsung device, but it was still a fairly serious exploit Fortunately, Samsung has issued a relatively quick response about the whole situation.
Samsung has stated that they’re working on a fix, and it will be deployed through a security policy update via Knox. The vulnerability was based in how language packs for Samsung’s SwiftKey-backed keyboard were updated, and doesn’t affect the normal version of SwiftKey that you may have downloaded through the Play Store. Read more
Some recent security work on new Samsung smartphones will likely increase the pressure on manufacturers and carriers to dispense with preloading third-party apps. According to security researchers, they were able to figure out a way to deliver a payload capable of executing remote code via the Swift keyboard app that comes pre-installed on new Samsung devices. The vulnerability gives an attacker the ability to run code as a system user, one step shy of being root, and can be launched without input from the device’s user. Read more
Many were concerned with Google’s decision to unbundle WebView from the core system starting with Android 5.0 Lollipop. Older devices would be left behind, too, without updates and that means compromised security. Fortunately, Google has realized so many Android apps take advantage of WebView that it only makes sense to further support. With the latest version of Android, Google will be able to update WebView independently. Right now, developers can join the new beta channel to gain access to new APIs and other items. Developers will be able to become familiar with the updates before users get to see them.
You can join the beta channel of Android System WebView by clicking here.
Source: Android Developers Blog
A new report that surfaced today claims that Google has ended support for WebView on Android devices running Android 4.3 or older, a move that could leave users exposed to malicious attacks. WebView is considered a “core component” of Android and is used by applications to display web pages without opening an actual browser session. Starting with Android 5.0 Lollipop, Google decided to unbundle WebView from the core system so updates could be pushed out via the Google Play Store.
The source of the news regarding a lack of updates for Android versions 4.3 or older came from a response by Google’s Android security team to a report of a bug in the AOSP browser which is based on WebView. According to the response to Joe Vennix of Rapid7 and independent researcher Rafay Baloch: Read more
Security researcher Rafay Baloch released information about a vulnerability in the Same Origin Policy (SOP) protection used by browsers running on Android devices. The SOP is used to stop malicious code from spreading from one site to sites that a user has open in other tabs. According to some sources, this vulnerability is “a privacy disaster.” It appears to be limited to the Android Open Source Platform(AOSP) Browser, which has been replaced by Chrome on more recent builds of Android, and does not impact users on Android 4.4 or higher. Read more
Metasploit, a popular vulnerability testing framework, added a new test module that would allow users to test how vulnerable some versions of the Android browser are to being hacked from shell access, and that’s when this exploit was found in Glass. The exploit would involve a man-in-the-middle hijacking that WebView instance, which wouldn’t be too difficult to do if you’re on a public WiFi or anything that isn’t well secured. At that point, the malicious code could do anything from taking photos with your device to remotely turning on your microphone. Definitely not a good thing. Read more
Earlier this week Gibson Security tweeted some information it claimed could be used to exploit Snapchat enabling malicious hackers to match usernames with phone numbers and build a profile of users. Gibson Security also claimed the security holes could allow for the creation of dummy accounts in bulk. According to Gibson Security, they notified Snapchat of the problems last August, but after not seeing any move to correct an issue that supposedly could be fixed with ten lines of code, proceeded with making the exploit public. Read more
Remember that little vulnerability we heard about on Nexus devices that could be maliciously exploited to cause a device to lock up and reboot? Looks like Google has finally added a fix for that in Android 4.2.2, which should be rolling out fairly soon. There are no other camera improvements or anything like that in this update, but according to the 4.4.2 changelog, there were a handful of things that got patched. The most major one is that SMS exploit, but that doesn’t mean the few other things that were patched aren’t appreciated. If you’re a Nexus user, keep an eye out for this update.
An IT administrator named Bogdan Alecu has discovered that Nexus phones receiving a flood of texts may start to function a little bit differently. The Galaxy Nexus, Nexus 4, and Nexus 5 are all effected by this new exploit that causes those phones to reboot, crash the messaging app, or even disable a network connection. While other devices seem to be safe, Alecu advises that he hasn’t tested many others. The bug is coming from Class 0 SMS messages that are not regularly stored on a handset.
A developer has already taken to the Play Store to release a fix. Class0Firewall is a free app that prevents the Class 0 SMS messages from sending your handset into a tailspin. Google has told PCWorld that they are looking into the issue; however, we have no timetable on when to expect a patch.
Source: DefCamp, Class0Firewall (Play Store)
You’ve read that title right folks. Only a few days after the device went on sale do we have an exploit that gives root access to the little HDMI dongle. The folks over at GTVHacker found this exploit. As you know the Chromecast is supposed to be running a simplified version of the ChromeOS however the folks at GTVHacker believe it to be more of a modified Google TV Release. It appears that the bootloader, binaries, init scripts and kernel are from Google TV. This allowed GTVHackers their access.
They’ve been able to build an exploit that allows people to gain a root shell through port 23 via telnet of the device. While this is interesting in itself, Google could send out an update to the dongle and close this loop hole. The team explains the loop hole:
“By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.”
The GTVHacker’s Wiki page hosts the file and if you feel like tinkering with it you can download it from there. While this news doesn’t mean much for the average person, it was only a matter of time before someone would attempt to exploit the Chromecast. Hit the source link below for a full detailed explanation of how the exploit works. If you’re interested in seeing it in action you can check out the YouTube video after the break. Enjoy!