Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert Warns of Android Browser Flaw

Posted by Soulskill on from the memory-leak-leading-to-robot-revolt dept.

justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'" Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.

3 of 98 comments (clear)

  1. linkbait by Anonymous Coward · · Score: 3, Informative

    1. Have to know full path to a file to view it.
    2. Have to download a file, presumably from someone you don't know and trust.
    3. This is in all browser versions, so how exactly does fragmentation factor in?

    Like everything else, buzzwords like Android fragmentation guarantee hits.

    1. Re:linkbait by node+3 · · Score: 4, Informative

      Fragmentation affects the creation and distribution of the patch.

  2. Abuse of "zero-day" term? by ciaran_o_riordan · · Score: 5, Informative

    "Zero-day" attacks are when the application developers had no awareness of the problem before the information got to people who might exploit the problem.

    TFA says Cannon gave Google prior warning, so this isn't zero-day, right?

    http://en.wikipedia.org/wiki/Zero-day_attack

    I think news agencies just stick "zero-day" to all virus/bug news because it sounds scary.

    --
    Expert in software patents or patent law? Contribute to the ESP wiki!