CVE-2014-350{0,1,2}: Vulnerabilities in Cordova for Android

I, together with Roee Hay from my team (IBM Security Research) discovered a set of vulnerabilities in the Cordova Framework for Android.

The vulnerabilities are pretty severe - allowing for a remote drive-by download attack against certain applicaitons making use of the framework; basically an attacker can potentially steal your session cookie for your Cordova-based banking application.

Quite a number of the Israeli banks have vulnerable apps (finding which ones is left as an exercise for the reader) :).

You can learn more about it all here:
Blog Post
Video demo

UPDATE: Google recently sent the following message to app developers with vulnerable apps on the Play Store: