XSS Vulnerability In Google Earth, Said Kyle Osborn At TakeDownCon Security Conference

Security researchers have shown that relying on browser technology in mobile apps—and even some desktop apps—can result in hidden vulnerabilities in those applications that can give an attacker access to local data and device features through cross-site scripting. At TakeDownCon security conference in Las Vegas, researcher Kyle Osborn presented some examples of cross-site scripting attacks that he and colleagues have discovered on mobile devices. "XSS is generally considered to be a browser attack,"  But many applications, he said, such as those built with cross-platform mobile-development tools like PhoneGap, use HTML rendering to handle display of data. If applications aren't properly coded, it's possible for JavaScript or other web-based attacks to be injected into them through externally-provided data. "Often, there are times when you can just make a JavaScript request and pull files from the local filesystem," he said.
The most recent example Osborn found is a vulnerability in the Google Earth app that allows execution of arbitrary JavaScript code on the device by embedding script in location data. He says that the flaw has been reported to Google.
Osborn said other vulnerabilities that have been discovered, and that in most cases have now been patched, include Skype on Apple's iOS and Gmail on Android and iOS. The vulnerabilities aren't limited to mobile platforms—many desktop applications that use Webkit or another web rendering engine have also had issues, Osborn said. The Skype vulnerability was originally discovered on Mac OS X, and similar bugs have been discovered and patched in the Adium instant messaging client on OS X and Empathy social networking client on Ubuntu.


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...