Discovered vulnerability in the web browser Froyo Android 2.2 version and earlier that would steal files from the terminal and especially those stored on the SD card transparently to the user. The file system is FAT32 SD cards, so no property licensing.
Thomas Cannon, the security specialist who discovered the vulnerability, reports that through a page HTML and Javascript specially designed , an attacker could access a limited number of files stored in the terminal. The core of the problem is that Android’s browser to the versions mentioned, does not inform the user downloads a file HTML .
In the attack, could be accessed the file system proc and thus the kernel version and other configuration parameters used as basis for further attacks. In addition, data could be obtained browser type history , bookmarks , cookies session and saved passwords.
The SD card access allows the theft of files of all types : text, pictures or video, without the terminal owner’s awareness of the action. At the time of this writing, there is no official solution to the problem , so the only alternative is to use a different browser, eg Opera Mini , Firefox , Skyfire or any other of your choice.
