iOS and Android weaknesses allow stealthy pilfering of website credentials

Posted by BernardSwiss on Aug 29, 2013 12:52 AM EDT
Ars Technica; By Dan Goodin
Mail this story
Print this story

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

Full Story

» Read more about: Story Type: News Story, Security; Groups: Android

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.