14 DAY TRIAL // Google has fixed a critical vulnerability in the Android Market website which allowed potential attackers to remotely install rogue apps on visitors' devices.
The bug stemmed from a simple cross-site scripting (XSS) weakness in the form used to publish new applications and was discovered by Jon Oberheide, a security researcher at Duo Security.
Oberheide explains that insufficient input validation in the application description form allowed the insertion of malicious code in the resulting application page.
The code could have been used to trigger a remote app installation procedure through the INSTALL_ASSET functionality.
This type of installation, which is considered a feature of the Android Market, was criticized because it doesn't display any prompt on the user's device asking for confirmation.
"While being able to browse the Android market via your browser on your desktop and push apps to your device is a great win for user experience, it opens up a dangerous attack vector.
"Any XSS vulnerabilities in the web market allow an attacker to force your browser into making a POST request that triggers an app installation to your phone," explains Oberheide.
The challenge for the attacker is to run the installed app, but apparently this can also be done by combining the same XSS with some other Android quirks.
The researcher reported the flaw to Google as soon as he found it, but now he regrets the decision because he didn't realize it qualified for the Pwn2Own contest that starts tomorrow and pays $15,000 for an Android compromise.
Money is not necessarily the issue, but rather the type of vulnerability itself. "I’m more disappointed that I won’t be able to win Pwn2Own with a lame XSS, which would be absolutely hilarious since Pwn2Own usually brings out the most exciting and technical exploits of the year," Oberheide writes.