Link

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks:

“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”

The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.

One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn’t protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.

Another day, and another massive vulnerability disclosed about Android.