Android browser vulnerability plugged by Gingerbread

Android has become a major player in the mobile community, and is on its way to being the #1 smartphone OS in the world. That also means it's become one of the most likely targets for hackers. Android users have uncovered a vulnerability, in which websites can gain unofficial access to all the information on your SD card.

It works like this: the Android browser doesn't prompt you for permission when it downloads a file. It then saves the file on your SD card, from which it can run JavaScript locally without permission. That JavaScript can then expose your data.

The discovery was originally made by Thomas Cannon, who found that these exploits gained access to whatever is stored on the SD card. For many, that just means music and apps, but it could also include personal photographs, or even sensitive business or personal information.

On the upside, the exploit isn't capable of mining just anything on your device. It has to know the name of what it's looking for, but that could still include ubiquitously named folders like "Music" and "Photos".

The Android team is working on a fix for Gingerbread (Android 2.3), which is expected to be announced on December 6th. Especially considering not all devices will be upgraded to Gingerbread at the outset, you should be wary of suspicious or unknown websites until you receive the update.

source: Android Community via SlashGear

Android Data Stealing Vulnerability from Thomas Cannon on Vimeo.