Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts.
The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.
“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick=”window.open(‘\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.
According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.
“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.
The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:
- Add friends
- Like and follow Facebook pages
- Modify subscriptions
- Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
- Steal the victim’s access tokens and upload them to their server at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $token;
- Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/
“In addition to the code at the above site, we found a similar attack at http://www.{BLOCKED}php.com/x/toplu.php,” Huang explained. “We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app.”
“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”
Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
