CVE-2014-350{0,1,2} Vulnerabilities in Cordova for Android

I, together with Roee Hay from my team (IBM Security Research) discovered a set of vulnerabilities in the Cordova Framework for Android.

The vulnerabilities are pretty severe - allowing for a remote drive-by download attack against certain applicaitons making use of the framework; basically an attacker can potentially steal your session cookie for your Cordova-based banking application.

Quite a few of the Israeli banks have vulnerable apps (finding which ones is left as an exercise for the reader) :).

You can learn more about it all here:
Blog Post
Whitepaper
Video demo

UPDATE: Google recently sent the following message to app developers with vulnerable apps on the Play Store:

This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.

You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.

Please note, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.