A vulnerability that a researcher planned to use to compromise an Android cellphone at a hacking contest later this week got squashed after Google fixed the underlying bug in the Android Market. Duo Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, bug in the application bazaar because he didn't …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 7th March 2011 19:09 GMT Anonymous Coward

Dumb move

Allowing silent remote install - via the web - of untrusted apps into an untrusted platform filled with personal data and an always on link to the Internet must count as one giant dumb move in mass market software history, not unlike the bygone Windows autorun.

It almost looks like Google secretly wants to make people fear the apps model and convince them to move to a more web-based "cloud" platform, even with all its limitations...

6 2
1. Tuesday 8th March 2011 10:29 GMT MarkOne
  
  errmm
  
  you can only remote install apps from the market, not the whole web.
  
  Google are,implementing app signature scanning to prevent future problems.
  
  0 0
Monday 7th March 2011 20:35 GMT Steen Hive

$1337?

Seriously!

0 0
1. Monday 7th March 2011 23:55 GMT Jdoe1
  
  WTF
  
  $1337 to one who suggested the WTF icon.
  
  1 0
  1. Tuesday 8th March 2011 10:28 GMT M Gale
    
    $31337 would be nicer.
    
    Not that I'd complain at the grand-and-a-bit.
    
    0 0
  2. Tuesday 8th March 2011 10:29 GMT Anonymous Coward
    
    LEET
    
    always said the paltry 1337 and 3133.7 are too low. if google had any confidence in its abilities it should put its money where its mouth is and up these amounts, to match the alternatives...
    
    0 0
2. Tuesday 8th March 2011 10:16 GMT TeeCee
  
  @Steen Hive
  
  Let's just hope that teh awesum kewlness of the number makes up for the $13,663 one has to forego in order to get it.
  
  0 0
3. Tuesday 8th March 2011 10:25 GMT Danny 14
  
  aye
  
  ₪4810 shekels is nothing to be sniffed at young man!
  
  1 0
Monday 7th March 2011 20:36 GMT James 47

Hang on a minute...

"on-device confirmation that the user has to click in order to proceed "

Symbian OS has had this for fucking years and people constantly moaned about it.

I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press. I remember the hoopla when the Kabir 'virus' surfaced on Symbian devices (depsite the user having to confirm installation at three different points)

1 2
1. Monday 7th March 2011 22:29 GMT Anonymous Coward
  
  And yet...
  
  "I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press."
  
  And yet if it were an Apple iOS vulnerability, the media would be lapping it up.
  
  3 2
2. Monday 7th March 2011 23:55 GMT Anonymous Coward
  
  Plenty of press
  
  Many, many articles on the Android vulnerabilities.
  
  You are looking in the wrong direction dude.
  
  4 1
Tuesday 8th March 2011 00:12 GMT blodwyn

Good timing...

Killing the bug just before the pwn2own contest

3 0
1. Tuesday 8th March 2011 10:25 GMT Danny 14
  
  right
  
  but it wouldnt have won anyway, someone needed to click on a tainted link so its not a drive-by exploit. At least he got SOME money for his troubles.
  
  0 1
Tuesday 8th March 2011 10:12 GMT Wayland Sothcott 1

Oops we seem to have killed our bug...

...luckily we are always adding more bugs. I think the situation is like the Bond film Tomorrow Never Dies in which Carver gets his software developers to leave plenty of bugs so users are upgrading for years to come.

It should be pretty easy to release software without holes. Just don't base it on an operating system. What you get when you buy the thing is how it stays. All apps run directly on the metal and are complied together with the library but no OS. Considering people only keep these smart phones 18 months, that's hardly a problem. This works fine for DVD players and engine management systems.

1 0
1. Tuesday 8th March 2011 15:37 GMT The Indomitable Gall
  
  I thought DVD players....
  
  I thought DVD players generally ran a custom front end on an embedded OS...?
  
  0 0
2. Tuesday 8th March 2011 17:35 GMT Anonymous Coward
  
  No OS?
  
  I'm sure your DVD player is indeed running an OS. Probably QNX, VxWorks, or maybe even Linux. Besides, how is a shared library itself any more secure than an OS?
  
  I think you're confusing a bare bone OS with an environment. Two completely different things.
  
  0 0
Tuesday 8th March 2011 10:12 GMT Tom 15

BBC News

The BBC has had a few articles this week on Android bugs/viruses.

0 0
Tuesday 8th March 2011 10:13 GMT Anonymous Coward

Yes

"I'm more disappointed that I won't be able to win Pwn2Own with a lame XSS, which would be absolutely hilarious"

That really is hilarious, and you definitely don't need to get out and live life a bit more.

0 0
Tuesday 8th March 2011 11:35 GMT Tigra 07

No Tit Required...

Better to get $1300 than nothing.

0 0
Tuesday 8th March 2011 12:35 GMT Anonymous Coward

Ethical?

Isn't it kind of naughty though... to hold on to these security risks just to try to win some money?

If they were ethical hackers - shouldn't they be telling google/etc of the exploit AS SOON AS THEY FIND THE DAMN THINGS?

At least that's what I would do (if I could code).

0 1
1. Tuesday 8th March 2011 13:58 GMT Duffaboy
  
  Dime Bar
  
  LMAO
  
  0 0
Tuesday 8th March 2011 13:58 GMT Robert Carnegie

58,008

If we're being puerile anyway.

Still trying to figure out what $13,663 is spelling, I don't get it.

0 0
1. Tuesday 8th March 2011 14:36 GMT Anonymous Coward
  
  The title is required, and must contain letters and/or digits.
  
  13663 = leggs???
  
  0 0
2. Tuesday 8th March 2011 15:40 GMT Gareth.
  
  $13,663...
  
  It is the difference between what he might have got for winning pwn2own and what he definitely got for reporting it to Google.
  
  0 0
Tuesday 8th March 2011 17:34 GMT Anonymous Coward

Autorun?

'"However, given that we trigger the install and execute our app when the user clicks our malicious link, it's trivial to root the device and immediately remove any notifications that were present," he added.'

I agree that the install is triggered, but is he sure that the app automatically executes? I haven't seen that one yet. Although making it autostart at bootup seems to be all too common, so maybe he's talking about that. Eg, install, set as autostart, wait for the user to reboot...

0 0
Tuesday 8th March 2011 21:37 GMT heyrick

Hey, if it is so trivial to root the device...

...can we have a legit app to root and modify the hosts file to turn off some of the web adverts? It's kinda annoying in an EDGE-only area to wait, like, forever for something uninteresting to load up...

0 0