Google has Patched Remote Code Execution Android Market Vulnerability
Now Google has patched some critical vulnerabilities in the website of Android Market which allowed potential attackers to install rogue apps on visitors' devices. remotely. The bug was discovered by Jon Oberheide, a security researcher at Duo Security.This bug stemmed from a simple cross-site scripting (XSS) weakness in the form which is used to publish new applications.
Jon explains that there was insufficient input validation in the application description form which can allow the insertion of malicious code in the resulting application page.Thus this code could have been used to trigger a remote app installation procedure through the INSTALL_ASSET functionality.
This type of installation, which is considered a feature of the Android Market, was criticized because it doesn't display any prompt on the user's device asking for confirmation.
The researcher reported the flaw to Google as soon as he found it, but now he regrets the decision because he didn't realize it qualified for the Pwn2Own contest that starts tomorrow and pays $15,000 for an Android compromise.
