Here we go.
As expected, the main Chrome activity isn\’t affected by this vulnerability. However, let’s view the AndroidManifest.xml file from Chrome .apk.
You can see that the class com.google.android.apps.chrome.SimpleChromeActivity can be called from another application, since it has the directive declared.
Decompile classes.dex from apk and look at the SimpleChromeActivity class.
The onCreate method provided above shows that a new URL will be loaded in the current tab without opening a new tab.
Here is a couple of ways to start this activity — via Android API or Activity Manager. Calls from Android API are a bit complicated, so I used \”am\” command from the adb shell.
shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d \’http://www.google.ru\’
Another problem — automatic file downloading — was a real headache for all Chrome-like browsers. If you opened a binary file in the Chrome browser, it was downloaded without your approval to the SDCard directory. The same thing happened with a default browser, where this \”feature\” was used by NonCompatible malware. So you may ask what it has to do with credential disclosure. Look at the Chrome directory on the system.
These files (such as Cookies, History, etc) can be read only by Chrome app. It looks secure. Try to launch Chrome using the file:// wrapper and open the Cookies file.
shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d \’file:///data/data/com.android.chrome/app_chrome/Default/Cookies\’
When the browser starts, Cookies are downloaded/copied to /sdcard/Downloads/Cookies.bin and can be read by any application of the system.
I provided detailed information to the Chromium security team, and these bugs were fixed in version 18.0.1025308.
Author: Artem Chaykin, Positive Research.