Feeds

back to article Hacker kills his own Pwn2Own bug for Android phones

A vulnerability that a researcher planned to use to compromise an Android cellphone at a hacking contest later this week got squashed after Google fixed the underlying bug in the Android Market. Duo Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, bug in the application bazaar because he didn't …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Dumb move

Allowing silent remote install - via the web - of untrusted apps into an untrusted platform filled with personal data and an always on link to the Internet must count as one giant dumb move in mass market software history, not unlike the bygone Windows autorun.

It almost looks like Google secretly wants to make people fear the apps model and convince them to move to a more web-based "cloud" platform, even with all its limitations...

6
2
FAIL

errmm

you can only remote install apps from the market, not the whole web.

Google are,implementing app signature scanning to prevent future problems.

0
0
WTF?

$1337?

Seriously!

0
0
WTF?

WTF

$1337 to one who suggested the WTF icon.

1
0
Gold badge
Happy

@Steen Hive

Let's just hope that teh awesum kewlness of the number makes up for the $13,663 one has to forego in order to get it.

0
0
Silver badge
Thumb Up

aye

₪4810 shekels is nothing to be sniffed at young man!

1
0
Silver badge

$31337 would be nicer.

Not that I'd complain at the grand-and-a-bit.

0
0
Anonymous Coward

LEET

always said the paltry 1337 and 3133.7 are too low. if google had any confidence in its abilities it should put its money where its mouth is and up these amounts, to match the alternatives...

0
0

Hang on a minute...

"on-device confirmation that the user has to click in order to proceed "

Symbian OS has had this for fucking years and people constantly moaned about it.

I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press. I remember the hoopla when the Kabir 'virus' surfaced on Symbian devices (depsite the user having to confirm installation at three different points)

1
2
Anonymous Coward

And yet...

"I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press."

And yet if it were an Apple iOS vulnerability, the media would be lapping it up.

3
2
Heart

Plenty of press

Many, many articles on the Android vulnerabilities.

You are looking in the wrong direction dude.

4
1

Good timing...

Killing the bug just before the pwn2own contest

3
0
Silver badge
Stop

right

but it wouldnt have won anyway, someone needed to click on a tainted link so its not a drive-by exploit. At least he got SOME money for his troubles.

0
1
Grenade

BBC News

The BBC has had a few articles this week on Android bugs/viruses.

0
0

Oops we seem to have killed our bug...

...luckily we are always adding more bugs. I think the situation is like the Bond film Tomorrow Never Dies in which Carver gets his software developers to leave plenty of bugs so users are upgrading for years to come.

It should be pretty easy to release software without holes. Just don't base it on an operating system. What you get when you buy the thing is how it stays. All apps run directly on the metal and are complied together with the library but no OS. Considering people only keep these smart phones 18 months, that's hardly a problem. This works fine for DVD players and engine management systems.

1
0

I thought DVD players....

I thought DVD players generally ran a custom front end on an embedded OS...?

0
0
Anonymous Coward

No OS?

I'm sure your DVD player is indeed running an OS. Probably QNX, VxWorks, or maybe even Linux. Besides, how is a shared library itself any more secure than an OS?

I think you're confusing a bare bone OS with an environment. Two completely different things.

0
0
Thumb Up

Yes

"I'm more disappointed that I won't be able to win Pwn2Own with a lame XSS, which would be absolutely hilarious"

That really is hilarious, and you definitely don't need to get out and live life a bit more.

0
0
Thumb Up

No Tit Required...

Better to get $1300 than nothing.

0
0
Anonymous Coward

Ethical?

Isn't it kind of naughty though... to hold on to these security risks just to try to win some money?

If they were ethical hackers - shouldn't they be telling google/etc of the exploit AS SOON AS THEY FIND THE DAMN THINGS?

At least that's what I would do (if I could code).

0
1
Jobs Halo

Dime Bar

LMAO

0
0

58,008

If we're being puerile anyway.

Still trying to figure out what $13,663 is spelling, I don't get it.

0
0
Anonymous Coward

The title is required, and must contain letters and/or digits.

13663 = leggs???

0
0
Headmaster

$13,663...

It is the difference between what he might have got for winning pwn2own and what he definitely got for reporting it to Google.

0
0
Anonymous Coward

Autorun?

'"However, given that we trigger the install and execute our app when the user clicks our malicious link, it's trivial to root the device and immediately remove any notifications that were present," he added.'

I agree that the install is triggered, but is he sure that the app automatically executes? I haven't seen that one yet. Although making it autostart at bootup seems to be all too common, so maybe he's talking about that. Eg, install, set as autostart, wait for the user to reboot...

0
0
Silver badge

Hey, if it is so trivial to root the device...

...can we have a legit app to root and modify the hosts file to turn off some of the web adverts? It's kinda annoying in an EDGE-only area to wait, like, forever for something uninteresting to load up...

0
0
This topic is closed for new posts.