A cross-site scripting (XSS) vulnerability exists in the browser version of AirDroid, a cloud management application for Google’s Android phones. According to an alert from the US-Computer Emergency Readiness Team (US-CERT), at the current time, there is no patch planned and there is no logical workaround.
According to a warning on the US-CERT’s Vulnerability Notes Database this morning, if an attacker was able to get access to a phone with AirDroid installed, they’d be able to send a malicious text message to the browser associated with the account. Once that message is brought up on the browser, the attacker could execute an XSS attack which in turn could lead to a slew of problems, including information leakage, privilege escalation and denial of service on the compromised machine.
Apparently the problem is that AirDroid’s web interface, web.airdroid.com, doesn’t properly sanitize the code it’s sent via text messages. The app can be used in tandem with popular browsers such as Internet Explorer, Google Chrome, Mozilla Firefox and Apple’s Safari, to access files on Android devices from the web.
AirDroid already relies on using a safe HTTPS connection and a series of one-time QR codes/passwords to enable phone-to-computer sharing, which makes the Web interface oversight interesting. The security section of AirDroid’s website notes the service can only be used while both devices are on the same WiFi network and that it limits log-ins.
While CERT offers some good advice in suggesting users only allow connections from trusted hosts and networks, that doesn’t exactly work in this case. The XSS attack “comes as an HTTP request from a legitimate user’s host,” or essentially a phone that’s already been set up and authorized. This means there is no current workaround and as CERT notes, no practical solution to this problem.
While developers of the application didn’t respond to an email request for comment on Monday, the software’s most recent update came last Aug. 15, which suggests a patch or update is long overdue.