Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31813
HistoryMar 21, 2015 - 12:00 a.m.

Viber for Android exposes insecure Javascript interface

2015-03-2100:00:00
vulners.com
17
JSON

Viber for Android exposes insecure Javascript interface

Yorick Koster, April 2014

Abstract

It was discovered that Viber's Sticker Market is affected by a remote
code execution vulnerability. This is possible because the Market is
loaded over an insecure connection (HTTP) in a WebView that exposes an
insecure Javascript interface. Exploiting this issue allows for the
execution of arbitrary Java code within the privileges of the Viber app.

Tested versions

This issue was successfully tested on Viber for Android version
4.3.0.712.

Fix

As of Viber version 5.2.0.2415 (released December 15, 2014) the target
SDK was change from API Level 15 to API Level 19. Due to this, this
issue is no longer exploitable devices running Android 4.2 (API Level
17) and newer.

Details

https://www.securify.nl/advisory/SFY20140402/viber_for_android_exposes_insecure_javascript_interface.html
https://vimeo.com/102272421

JSON