Read the full article: http://securityintelligence.com/apache-cordova-phonegap-vulnerability-andr...
Read the full article: http://securityintelligence.com/apache-cordova-phonegap-vulnerability-android-banking-apps/
In this paper we disclose a severe Cross-Application Scripting (XAS) vulnerability in Apache Cordova for Android. This vulnerability enables theft of sensitive information from Cordova-based apps both locally by malware and also remotely by using Drive-By exploitation techniques. In addition, we also present a set of vulnerabilities which allow for data exfiltration to an arbitrary target, bypassing Cordova's whitelisting mechanism. In addition, we describe the exploitation techniques and a Proof-of-Concept. The issues had been privately and responsively disclosed to Cordova which provided a mitigation that is also discussed in this paper.