XSS vulnerabilities can affect embedded browsers in mobile apps
A security researcher has noted that the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks. Developers of mobile software have found it can be effective to embed a smartphone operating system's web browser and then create their user interface using HTML, CSS and JavaScript. The user interface is then more portable to other devices and is easier to customise using CSS. But this convenience comes at a cost. Researcher Kyle Osborn, who is presenting his findings at TakedownCon, found that some developers don't clean the data being sent to their HTML-based user interface.
In Google Earth on the iPad, he found it was possible to embed JavaScript in location information in a layer. Demonstrating the flaw, Osborn showed that when the user browsed that location, his injected JavaScript was then executed and, in his proof of concept, displayed the /etc/hosts file. Google fixed the vulnerability on the server side, without needing to modify the client software. The impact of the vulnerability is limited though, as, in this case, it does not break the sandboxing of the applications and, as the instance of the browser is embedded, it does not have access to the cookies and other information accumulated by normal browser sessions. An earlier version of Osborn's talk is available online.
With more and more applications using embedded browsers, on mobile devices and on the desktop, the potential for exploits that will be able to make effective use of uncleaned data being injected into the HTML front-end is increasing. Skype's iPhone application suffered from an XSS attack in September and its desktop application suffered one in July. Application developers who are embedding a web browser into their application need to ensure they follow the same rules that a web application developer should follow when sending data to the interface, for example, ensuring that no HTML or script tags are embedded in the data.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
