PT-2012-47: Information disclosure in Google Chrome on Android
Vulnerable software
Google Chrome on Android
Version: 18.0.1025123 and earlier
Application link:
https://play.google.com/store/apps/details?id=com.android.chrome
Severity level
Severity level: Medium
Impact: Information disclosure
Access Vector: Remote
CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE: CVE-2012-4903
Software description
Google Chrome is a web browser for Android.
Vulnerability description
The specialists of the Positive Research center have detected "Information disclosure " vulnerability in Google Chrome on Android.
Google Chrome on Android does not properly restrict access to file: URLs, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by obtaining credential data.
How to fix
Update your software up to the latest version
Advisory status
20.07.2012 - Vendor is notified
20.07.2012 - Vendor gets vulnerability details
12.09.2012 - Vendor releases fixed version and details
21.09.2012 - Public disclosure
Credits
The vulnerability has discovered by Artem Chaykin, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2012-47
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/