Menu
AirDroid app fixes severe authentication vulnerability

AirDroid app fixes severe authentication vulnerability

The flaw affected AirDroid versions 3.0.4 and earlier

AirDroid, a popular management tool for Android devices, has fixed a severe authentication software flaw in its Web interface that could give a hacker complete control over a mobile phone.

The problem was fixed in an update released last month, wrote Matt Bryant, a consultant with the security company Bishop Fox, who discovered the flaw. Versions 3.0.4 and earlier of the tool are affected.

AirDroid lets people manage their phone from a Windows or Mac tablet or through a Web interface. To do that, it asks for a lot of permissions, such as the ability to send text messages, turn on a camera and have access to the phone, among many others.

Bishop Fox found it could take over a device running AirDroid by sending a person a malicious link over SMS, Bryant wrote.

The vulnerable versions of AirDroid use JavaScript Object Notation with padding, or JSONP, to request data from a server in a different domain, Bryant wrote. Web browsers usually prohibit this as a security precaution known as the same-origin policy.

"Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality," Bryant wrote. "By doing this, other users' Android devices can be hijacked."

A successful attack means a hacker would have full control over an Android device and can see the phone's contacts, track the device using GPS and transfer photos.

Bryant wrote Bishop Fox tested AirDroid's patch "and have found it more than adequate."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Exploits / vulnerabilitiesBishop FoxSand Studio

Featured

Slideshows

Tech industry comes out in force as Lancom turns 30

Tech industry comes out in force as Lancom turns 30

A host of leading vendors and customers came together to celebrate the birthday of Lancom Technology in New Zealand, as the technology provider turned 30.

Tech industry comes out in force as Lancom turns 30
The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Show Comments