A trio of critical vulnerabilities discovered in Apache Cordova could target any keyword on mobile devices and begin hijacking banking credentials and more just by having a user visit a malicious webpage.
Researchers at IBM’s Security X-Force research team discovered the vulnerability and have a proof-of-concept tool demonstrating just how easy it is to begin hijacking credentials from applications utilizing Cordova.
The set of vulnerabilities discovered actually resides in the Apache Cordova platform itself. IBM discovered that the platform is vulnerable to cross-application scripting (XAS), meaning an attacker can inject malicious code into the application and bypass the sandbox as well as hijack any app running the vulnerable version of the Cordova platform.
Apache Cordova is a popular platform developers build their applications on. AppBrain shows that over 5.8 percent of all Android applications on the market are built on Apache Cordova, meaning a massive portion of Android devices are vulnerable.
Executing an attack on the platform
For an attacker to exploit the vulnerability, they would need two things. A webpage hosting the malicious file and a targeted Android user. IBM researchers demoed the vulnerability by having the attacker send the victim a common phishing email, saying click <link here> to reset your credentials or similar. The victim clicks the link and an executable disguised as an HTML file is automatically downloaded.
All the attacker needs to do is hide the malicious HTML file inside an iframe. Once the file is downloaded, the attacker can trigger the device to execute an Android activity using the intent command, inside, the malware can be holding schemes for keywords to target. If an attacker knew that a banking application was vulnerable, they could target that application via a scheme keyword and execute the malware on that specific application. Once the command is executed, Cordova’s webview will automatically open what it believes to be a URL and trigger the vulnerability. From there, the attacker can hijack the whole application within mere seconds of the initial execution.
As the malware can target specific keywords to target specific apps, an attacker could target ‘bank’ or ‘retail’ and hijack a banking session cookie and the attacker would have full access to the victims accounts. IBM stated the attack was most commonly executed through the stock Android browser or Google Chrome, this is due to their autodownload functionality. This does not mean other browsers are safeguarded from the attacks, some Cordova-based apps can be exploited with all browsers.
IBM researchers made a video demonstrating the vulnerability:
“In general, attackers target applications and data that will have a strong return on investment (ROI). Banking apps can provide access to financial assets which is why they are attractive targets for attackers. However, any app, and keyword to find that app, could be a target. For example, ‘retail’ or the name of a large retail chain would be a target for a thief trying to go on a free shopping spree. ‘Health’ or ‘health insurance’ would be of interest to attackers interested in identity theft and/or selling sensitive medical information. And cyber-attackers looking to impact critical infrastructure activity could look for keywords like, ‘smart meter’ or even ‘home automation’ or ‘camera.’ The key point here is that many applications, of all types, built on Apache Cordova could be vulnerable and a lucrative target for an attacker, depending on their objectives,” Hay also told Freedom Hacker.
While the vulnerability is harsh towards consumers, this could affect businesses as well. Hays told us if a business employee was targeted and a banking application on the device held privileged credentials, the attacker could have access to some of the organizations assets.
Hays told us this cross-application scripting vulnerability dates back four years, and affects versions 0.9.3 – 3.5.0. Version 0.9.3 was initially released back in 2010.
Not only is the vulnerability bad in itself, little to no proactive measures can be taken to stop an attack as such from hitting the mobile device. If an application is using a vulnerable version of Apache Cordova and is not updated, that mobile device is susceptible to this seamlessly easy attack. Hays told us the local attack by malware cannot be prevented once the user has installed the malware, but the only measure to take would be to use a different browser than the stock Android or Chrome browsers. But as stated previously, some Cordova-based applications can be exploited throughout all browsers.
The Trio of Vulnerabilities
IBM in total discovered three vulnerabilities inside Apache Cordova:
- Cordova Cross-Application Scripting via Android Intents – CVE-2014-3500
- Cordova white list bypass for non-HTTP URLs – CVE-2014-3501
- Cordova apps can potentially leak data to other apps via URL loading – CVE-2014-3502
Photo credit: securityintelligence.com