iOS and Android weaknesses allow stealthy pilfering of website credentials
Ars Technica just posted news of new vulnerabilities discovered in both iOS and Android devices. These vulnerabilities could allow an attacker to dump text input, steal credentials to web sites, as well as silently link to an attacker’s Dropbox account.
Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.
Although the developers of the affected apps can release patches, the best course of action would be for Apple and Google to implement a fix across the board. These issues are only present in mobile applications and do not affect desktop software.