Exploiting the Nuclear Security Summit 2014 Android app – a demo

Published by admin on



The NSS 2014 aims to hold an almost paperless summit. Apps (iOS & Android) are created to render the paper version of the programme obsolete.

Securify identified that the Android app exposes several insecure Javascript bridges. The app also misses crucial SSL/TLS certificate checks, making the app susceptible to man in the middle attacks. Combining these issues renders the app vulnerable to remote code execution.

This video shows a demo of how this can be exploited to gain remote access to the phone of affected users.

Fix:
Certificate validation was restored in version 2.0.0 of NSS 2014 for Android (released on March 19, 2014). Version 2.0.3 opens insecure (HTTP) links in an external browser, which prevents attackers from exploiting the affected Javascript bridges (released on March 21, 2014).

http://www.securify.nl/advisory/SFY20140301/nss_2014_affected_by_remote_code_execution___insecure_certificate_validation.html

Likes: 0

Viewed: 672

source


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish
en_USEnglish
%d bloggers like this: