Researcher Finds Google Android Data Stealing Vulnerability 報告者：劉旭哲.

Slides:

Advertisements

Similar presentations

Security researcher finds 'cookiejacking' risk in IE 報告者：劉旭哲.

Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

App Inventor 建國科技大學資管系饒瑞佶 2010/10. App Inventor Google 發展可應用瀏覽器建立一個 Android APP UI 設計使用拼圖定義程式行為.

DIR-636L Support 10/100/1000Mbps 1WAN and 4LAN N 300Mbps Wireless Easy wizard setup Support mydlink cloud service mydlink apps (iOS/android) Support.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Presenters: Alan Chan, Sam Tse Date:2012/06/20. DIR-605L Support 10/100Mbps 1WAN and 4LAN n 300Mbps Wireless Fixed 5dbi antennal x2 Easy wizard.

WikiLeaks Mirror Sites Lose Web Hosting Services 報告者：劉旭哲.

網際網路資料庫連結 2004 Php Web Programming. 上完這段課程，你將學會  一般靜態網頁與互動式網頁的區別。  網際網路上大量資料的存取。  資料庫的角色與功能。  Web Server 的角色與功能。  網際網路資料庫的應用。  基本的程式寫作技巧及網頁的應用。

Mobile IP Lab TA: 洪敏書

NCCU System 學校信箱. Let’s start from here: 從首頁的信箱入口進入.

Android Application Development 郭惠翔

在 Ad-hoc 網路中實現點對點發送訊息與廣播訊息. 檔案下載  範例程式可在下列網址取得  DEMO 程式可在下列網址取得

第 15 章 Servlet 程式設計 Java 2 程式設計入門與應用. 2 目錄 15-1 Servlet 的簡介 15-1 Servlet 的簡介 15-2 建立 Servlet 程式 15-2 建立 Servlet 程式溫故知新自我突破習題.

1 真理大學運輸管理學系實務實習說明目錄  實務實習類別  實務實習條例  校外實習單位  實務實習成績計算方式  校外實習甄選 / 自洽申請流程  附錄：相關表格.

Web Meeting 使用教學 ─ 學生版.  如何即時線上與老師互動？一. 瀏覽太御科技首頁二. 安裝 JoinNet 在首頁的左手邊 1. 下載 JoinNet 進行安裝 JoinNet.

ProQuest Digital Dissertations 美加地區博碩士論文 -PQDD 地點：私立元智大學主講人：徐韻婷小姐日期： 91 年 12 月 5 日時間：下午 2:00~ 下午 3:30.

第 5 章深入 Response 物件製作. 網頁的轉向與強制輸出 - 讓網頁轉彎的 Redirect 敘述運用 Response 物件的 Redirect 方法，將瀏覽器顯示的網頁，導向至其他網頁，語法如下： Response.Redirect 網頁路徑與名稱此網頁路徑與名稱  若是導向到同一台.

Geinimi, Sophisticated New Android Trojan Found in Wild 報告人：劉旭哲.

行政院國家科學委員會工程技術發展處自動化學門 * 試以國立成功大學製造工程研究所鄭芳田教授產學合作計畫 : 智慧預測保養系統之設計與實作成果報告盤點為範例國科會工程處專題計畫成果典藏自動化學門成果報告盤點範例.

從此處輸入帳號密碼登入到管理頁面. 點選進到檔案管理點選「上傳檔案」上傳資料點選瀏覽選擇電腦裡的檔案可選擇公開或不公開為平台上的資料夾此處為檔案分類，可顯示在展示頁面上，若要參加 MY EG 競賽，做品一律上傳到 “ 98 MY EG Contest ” 點選此處確定上傳檔案.

Management Abstracts Retrieval System; MARS 檢索操作.

T H O M S O N S C I E N T I F I C ISI Web of Knowledge 新功能與提升 2005 年第 3 季.

Network Analyzer For Ethereal. 基本設備 Hardware pc network card can connect INTERNET Software OS Winpcap Ethereal.

Client Messages 1 訊息作用 LOAD 載入整個課程 NEXT 依活動定義順序的下一個活動 PREVIOUS 依活動定義順序的前一個活動 COMPLETE 完成目前瀏覽的活動 QUIT 離開課程.

無線通訊網路 Mac 層 TDM 通訊模式的操作與效能研究專題生 : 林書弘、蔡逸祥、毛建翔、王政華指導教授 : 黃依賢.

1 EndNote 金珊資訊有限公司 2 EndNote X2 新功能新增標籤 (Tab) 視窗線上查詢群組智慧群組 (Smart Groups) 新增參考文獻類型查詢全文標示日期以電子郵件傳送壓縮的 Library 檔案 Library.

Android 遊戲設計模組 1 Android 開發環境建構郭育政東吳大學資訊管理系涂昆源萬能科技大學資訊工程系余執彰萬能科技大學資訊工程系周建興淡江大學電機工程系林旭陽東吳大學資訊管理系教育部網路通訊人才培育先導型計畫 ─ 課程發展計畫.

網路協定與偵錯黃瑞松 Mar 網管工具的特點根植於 SNMP 或網路設備的支援只能在匯流點監測流量與運算負載隱私問題發現潛在的問題 Solving Problem!

網頁環境介紹. Outline Hardware/software Preparation Web 程式寫在哪 ? 其他基礎概念.

遠端北風資料庫公佈時間： 2006/4/26 繳交截止時間： 2006/5/10. 作業目的實作遠端資料庫瀏覽程式.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

報告者：劉旭哲 Anonymous: We didn't hack PlayStation Network.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Jasmine Testing Framework. What’s Jasmine For? Framework for Test Driven Development Designed around acceptance testing Works in any environment (with.

靜宜大學資管系楊子青 1 Working with Databases (II) 靜宜大學資管系楊子青

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

WWW 安全國立暨南國際大學資訊管理學系陳彥錚. WWW 安全 Web security is important for E-Commerce. Previous studies: –SSL –SET –Web server security Application-level security.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

非同步互動式網頁程式設計 - 實作練習 I 資料表的 CRUD - 使用 HTML/CSS & JavaScript 報告人： Dennis ( 嚴志和 ) 日期： 2014/11/10.

Android WebKit browser exploit 報告者：劉旭哲. Nov, Alert Logic Researcher M.J.Keith show a exploit in the Webkit in the Android. This exploit could lead to.

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Google Plus (+) Instant Upload In this section you will learn: How to Enable or Disable the Instant Upload feature for your mobile phone How to manage.

NCTUns Emulation 指導教授：潘仁義報告者：李詩涵、蕭惠陽. Kernel Re-entering Simulation Methodology  Tunnel 網路介面是實現 Kernel Re-entering Simulation Methodology 的關鍵技術  Tunnel.

PandaLab Quarterly Report (January-March 2011) 報告者：劉旭哲.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Openwebmail. 安裝 openwebmail 必要套件 yum -y install gcc perl-Text-Iconv perl-CGI perl- YAML perl-CPAN perl-suidperl httpd service httpd start chkconfig httpd.

DNS 安全防護傘－ DNSSEC 報告者：劉旭哲. 原因 2008 駭客年會 Dan Kaminsky 公布重大安全漏洞「 DNS Cache Poisoning 」雲端運算的興起.

Facebook fixes bug, but 'Nicole Santos' hoax lives on 報告者：劉旭哲.

Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

XSS VULNERABILITIES Nicole Coppola. XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing.

Browser Compatibility Testing, using different browsers Conditional Statements.

尋找資料姓名：陳彥廷學號：在網址打上 /nknux2/

Android and IOS Permissions Why are they here and what do they want from me?

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Statistical analysis - R Language Open Source R R Studio.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Facebook privacy policy

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Metasploit Project For this exploit I will be using the following strategy Create backdoor exe file Upload file to website Have victim computer download.

Working with Databases (I) 靜宜大學資管系楊子青

Google Photos Not Working Google Photos Google photos an application provided by Google to share or to store photos Google photos can.

E-Vendor Internal User Manual 供應商代碼申請使用手冊(內部使用者)

Exploring DOM-Based Cross Site Attacks

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

Researcher Finds Google Android Data Stealing Vulnerability 報告者：劉旭哲

A researcher revealed a way to exploit a vulnerability affecting Google Android users that can be used to steal data The flaw impacts Android 2.3 The same nature as a vulnerability uncovered last year on Android 2.2. 目前已在 Nexus S 證實可以竊取資訊

Requires some knowledge of JavaScript and Android. Mainly in the Android browser – there is a nonbrowser component in Android The attack works by requiring the user to visit a malicious link.

STEPs 1.The Android browser doesn’t prompt the user when downloading a file – for example "payload.html“ – It automatically downloads to /sdcard/download/payload.html 2.Using JavaScript get this payload to automatically open – causing the browser to render the local file. 3.When opening an HTML file within this local context, – Browser will run JavaScript without prompting the user. – JavaScript is able to read the contents of files.

惡意網站惡意網站惡意網站惡意網站 1. User 點擊惡意連結 2. 下載 payload.html 3. 瀏覽器執行 JS ，打開 payload.html 4. Payload.html 抓取特定文件

One limiting factor : – Know the name and path of the file. – However, data with consistent names on the SD card, and pictures stored with a consistent naming convention – An attacker could also read and upload any file "stored on the phone's /sdcard" The attack is not a root exploit and still runs in the Android sandbox. – Attackers cannot grab all the files on the system.

However, there are other ways to exploit the same flaw. The ultimate fix will require changing some essential components in the Android framework itself.

Other interesting news: – FBI issues warrants over pro-WikiLeaks attacks – Facebook blames bug for Zuckerberg page hack – Facebook Puts HTTPS Security Guard on Full-Time Duty.

Reference Finds-Google-Android-Data-Stealing-Vulnerability / Finds-Google-Android-Data-Stealing-Vulnerability / stealing-vulnerability/ stealing-vulnerability/ html?part=rss&tag=feed&subj=News-Security html?part=rss&tag=feed&subj=News-Security 83.html?part=rss&tag=feed&subj=News-Security 83.html?part=rss&tag=feed&subj=News-Security