A vulnerability that a researcher planned to use to compromise an Android cellphone at a hacking contest later this week got squashed after Google fixed the underlying bug in the Android Market. Duo Security CTO Jon Oberheide notified Google of the XSS, or cross-site scripting, bug in the application bazaar because he didn't …
Allowing silent remote install - via the web - of untrusted apps into an untrusted platform filled with personal data and an always on link to the Internet must count as one giant dumb move in mass market software history, not unlike the bygone Windows autorun.
It almost looks like Google secretly wants to make people fear the apps model and convince them to move to a more web-based "cloud" platform, even with all its limitations...
you can only remote install apps from the market, not the whole web.
Google are,implementing app signature scanning to prevent future problems.
$1337 to one who suggested the WTF icon.
Let's just hope that teh awesum kewlness of the number makes up for the $13,663 one has to forego in order to get it.
₪4810 shekels is nothing to be sniffed at young man!
$31337 would be nicer.
Not that I'd complain at the grand-and-a-bit.
always said the paltry 1337 and 3133.7 are too low. if google had any confidence in its abilities it should put its money where its mouth is and up these amounts, to match the alternatives...
Hang on a minute...
"on-device confirmation that the user has to click in order to proceed "
Symbian OS has had this for fucking years and people constantly moaned about it.
I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press. I remember the hoopla when the Kabir 'virus' surfaced on Symbian devices (depsite the user having to confirm installation at three different points)
"I, for one, can't believe that all the Android vulnerabilities receive so little attention in the press."
And yet if it were an Apple iOS vulnerability, the media would be lapping it up.
Plenty of press
Many, many articles on the Android vulnerabilities.
You are looking in the wrong direction dude.
Killing the bug just before the pwn2own contest
but it wouldnt have won anyway, someone needed to click on a tainted link so its not a drive-by exploit. At least he got SOME money for his troubles.
The BBC has had a few articles this week on Android bugs/viruses.
Oops we seem to have killed our bug...
...luckily we are always adding more bugs. I think the situation is like the Bond film Tomorrow Never Dies in which Carver gets his software developers to leave plenty of bugs so users are upgrading for years to come.
It should be pretty easy to release software without holes. Just don't base it on an operating system. What you get when you buy the thing is how it stays. All apps run directly on the metal and are complied together with the library but no OS. Considering people only keep these smart phones 18 months, that's hardly a problem. This works fine for DVD players and engine management systems.
I thought DVD players....
I thought DVD players generally ran a custom front end on an embedded OS...?
I'm sure your DVD player is indeed running an OS. Probably QNX, VxWorks, or maybe even Linux. Besides, how is a shared library itself any more secure than an OS?
I think you're confusing a bare bone OS with an environment. Two completely different things.
"I'm more disappointed that I won't be able to win Pwn2Own with a lame XSS, which would be absolutely hilarious"
That really is hilarious, and you definitely don't need to get out and live life a bit more.
No Tit Required...
Better to get $1300 than nothing.
Isn't it kind of naughty though... to hold on to these security risks just to try to win some money?
If they were ethical hackers - shouldn't they be telling google/etc of the exploit AS SOON AS THEY FIND THE DAMN THINGS?
At least that's what I would do (if I could code).
If we're being puerile anyway.
Still trying to figure out what $13,663 is spelling, I don't get it.
The title is required, and must contain letters and/or digits.
13663 = leggs???
It is the difference between what he might have got for winning pwn2own and what he definitely got for reporting it to Google.
'"However, given that we trigger the install and execute our app when the user clicks our malicious link, it's trivial to root the device and immediately remove any notifications that were present," he added.'
I agree that the install is triggered, but is he sure that the app automatically executes? I haven't seen that one yet. Although making it autostart at bootup seems to be all too common, so maybe he's talking about that. Eg, install, set as autostart, wait for the user to reboot...
Hey, if it is so trivial to root the device...
...can we have a legit app to root and modify the hosts file to turn off some of the web adverts? It's kinda annoying in an EDGE-only area to wait, like, forever for something uninteresting to load up...