Researcher from the security firm 'Rapid7' have discovered a critical bug on Google Play Store which enables option for Android Remote Code Execution. Researcher claims that attackers can perform an Cross Site Scripting attack on Google Play Store.
Researcher Tod Beardsley, wrote on the blog post that the web application of Google play Store supports X-Frame-Options (XFO) and the lack of complete coverage for XFO , attackers can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).
What is X-Frame Options?
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>,<iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Affected Platform
The device which is running on Android 4.3 jelly bean and earlier version, browsers ship with UXSS exposures, is affected by the bug. Users are having habitually signed into Google services, such as Gmail or YouTube are the the ones most at risk.
Rapid7 team have develop a Metasploit module combine two vulnerabilities which gives an attacker to execute code remotely on the affected Android devices. Researchers explained that -
"First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device."
Researcher Tod Beardsley, wrote on the blog post that the web application of Google play Store supports X-Frame-Options (XFO) and the lack of complete coverage for XFO , attackers can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>,<iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Affected Platform
The device which is running on Android 4.3 jelly bean and earlier version, browsers ship with UXSS exposures, is affected by the bug. Users are having habitually signed into Google services, such as Gmail or YouTube are the the ones most at risk.
Rapid7 team have develop a Metasploit module combine two vulnerabilities which gives an attacker to execute code remotely on the affected Android devices. Researchers explained that -
"First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device."