Google Chrome for Android — UXSS and Credential Disclosure

Here we go.
In July 2011, Roee Hay and Yair Amit from the IBM Research Group found the UXSS vulnerability in the default Android browser. This bug allows a malicious application to insert JavaScript code in the context of an arbitrary domain and stole Cookies or to do some evil things. Anyway, this bug was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome for Android was released. I’ve found some interesting bugs there. Just have a look.

UXSS

As expected, the main Chrome activity isn\’t affected by this vulnerability. However, let’s view the AndroidManifest.xml file from Chrome .apk.

You can see that the class com.google.android.apps.chrome.SimpleChromeActivity can be called from another application, since it has the directive declared.

Decompile classes.dex from apk and look at the SimpleChromeActivity class.

The onCreate method provided above shows that a new URL will be loaded in the current tab without opening a new tab.

Here is a couple of ways to start this activity — via Android API or Activity Manager. Calls from Android API are a bit complicated, so I used \”am\” command from the adb shell.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d \’http://www.google.ru\’

I think here is a non-security problem with content displaying. As we can judge by the title, Chrome loaded www.google.ru in SimpleChromeActivity instead of Main, and this activity has access to the Chrome Cookies database. The next step is injecting JavaScript code.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d \’javascript:alert(document.cookie)\’

Voilà, JavaScript has been executed in the context of the domain http://www.google.ru.

CREDENTIAL DISCLOSURE

Another problem — automatic file downloading — was a real headache for all Chrome-like browsers. If you opened a binary file in the Chrome browser, it was downloaded without your approval to the SDCard directory. The same thing happened with a default browser, where this \”feature\” was used by NonCompatible malware. So you may ask what it has to do with credential disclosure. Look at the Chrome directory on the system.

These files (such as Cookies, History, etc) can be read only by Chrome app. It looks secure. Try to launch Chrome using the file:// wrapper and open the Cookies file.

shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d \’file:///data/data/com.android.chrome/app_chrome/Default/Cookies\’

When the browser starts, Cookies are downloaded/copied to /sdcard/Downloads/Cookies.bin and can be read by any application of the system.

I provided detailed information to the Chromium security team, and these bugs were fixed in version 18.0.1025308.

Links:
http://code.google.com/p/chromium/issues/detail?id=138035
http://code.google.com/p/chromium/issues/detail?id=138210

Author: Artem Chaykin, Positive Research.

17 thoughts on “Google Chrome for Android — UXSS and Credential Disclosure

  1. Custom Creation Paints have produced a number of specialty custom paints each with a character of their own. We specialize in custom spray paints, and all but two of our paints are applied with spray guns. Thermal Touch is one of our paints that can be applied with a brush. It is a heat-sensitive product, which means it reacts to heat and changes color with the rise in temperature, and unlike our original Thermal product, it is applied with a brush or roller. This makes it a perfect choice for your home, especially if you want to add depth and dimension to your walls by allowing them to change colors faintly with the temperature of the room. Even furniture can look great with Thermal Touch paints.spray on chromespectrachromechrome fxfantachromesilver nitratesilver nitrate chromechrome chemicalschrome solutionschrome effectchrome sprayvacuum metalizationchrome paint for plastic

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.