carnal0wnage [Shared Reader]

Friday, June 25, 2010

Android and another use for XSS

This morning I saw a tweet by @dinodaizovi . Dino posted a comment regarding an article by Google (you can find Here ) responding to an interesting method of gaining Root via "RootStrap" (link: Here ).

To summarize Google sort of dismissed the idea that this application (and research, by @jonoberheide was damaging because the application he created didn't have "root" permissions, it simply had network permissions to download rootkits and install them in areas of the device not meant for normal applications.

Google/Android removed the application with an over the air update. We are saved! .....okay {sarcasm}

It got me thinking, I remembered something I touched on during a presentation at a recent NoVAH Hackers meeting. The idea was basically using something like XSS to redirect an Android user to download an attacker's application(s).

Here is the video, stick around to the end, you may get a chuckle.


Android and another use for XSS from cktricky on Vimeo.

Happy Hacking!

~cktricky

No comments: