A XFO (X-Frame-Options) Flaw in Android Play Store Allows Remote Code Execution

A vulnerability on the Google’s Play Store app have Android users vulnerable to malware.

The XFO aka the X-Frame-Options flaw, when combined with a recent Android WebView (Jelly Bean) bug creates a means for hackers to silently install any app from the Google Play store.

Joe Vennix of Rapid7 identified The Play Store XFO vulnerability and the Metasploit firm went public with the issue on Tuesday with the publication of an advisory, accompanied by a Metasploit module that helps enterprise security bods test corporate-issued smartphones for exposure to the XFO vulnerability.

Engineering manager at Rapid7, Tod Beardsley, with the firm that is behind the Metasploit penetration testing tool, explained that many devices running installations of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS [Universal Cross-site Scripting] exposures.

Beardsley states,

“Users of these platforms may also have installed vulnerable aftermarket browsers. Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable.”

Beardsley goes on to explain that Remote code execution is achieved by leveraging two vulnerabilities on affected Android devices. Stating more details of the Metasploit module,

First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat). Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.”

So using a browser like Google Chrome or Mozilla Firefox which are not susceptible to widely known UXSS vulnerabilities and not Not logging into the Google Play store may help mitigate and avoid this vulnerability.

Subscribe to our newsletter

To be updated with all the latest news


Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post