Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Handhelds Security IT

Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com) 107

MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
This discussion has been archived. No new comments can be posted.

Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack

Comments Filter:
  • repost (Score:5, Informative)

    by wbr1 ( 2538558 ) on Saturday November 14, 2015 @06:30PM (#50932295)
  • Firefox though? (Score:2, Insightful)

    by Anonymous Coward

    But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?

  • by Anonymous Coward

    Most of them.

  • by Anonymous Coward

    Me. Chrome can get fucked.

    Firefox all day all night until they go dark side. If they do... Orbot or a full Linux install on the phone with a bazillion options if I really have to use a phone to do major web surfing. Not a concern.

    Linux Deploy / Play Store.


  • Good thing I use Firefox instead of Chrome.
  • But not the latest version. Feature bloat.

    Also, I disabled Chrome.

    • Also, I disabled Chrome.

      Uh, yes, but it doesn't work that way. I'm pretty sure that Dolphin uses webview to display webpages on android (I think almost every browser except Firefox and Opera do -- most 3rd party browsers just write a simple GUI wrapper for webview) ... and all versions of Android starting from KitKat include the v8 javascript engine as part of webview:

      https://developer.chrome.com/m... [chrome.com]

      More concerningly, if you're using KitKat, webview won't be updated without a system update (it got moved to an APK in lollipop).

  • "If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)"

    Uh, this one. Guess I'm lucky I'm an avid Opera fan, heh.

  • First off, a repost and now a little analysis of the title. ..JavaScript Exploit Leaves All Android Devices [not all devices have chrome and even then not everyone uses chrome] Ripe For Attack [wrong, exploit is undisclosed and being patched].

  • by Anonymous Coward

    Lucky almost every new piece of desktop software across the world is built to run on one of about three browser platforms, and we've got rid of those pesky "extensions" that provided users with implementation alternatives, eh? Only through this level of homogeneity can users achieve safety and not all be exploited at once!

    thankfully, he hasn't publicly revealed detailed specifics on its inner workings

    Thankfully for your sense of security, he hasn't. Bugs like this are so valuable that many people will treat you far better than the "public" for revealing it, surely?

  • Didn't I read about this on Friday?

  • I'm an Android user that does not use Chrome. I use Opera.
    • Me too. It's much faster and I can open 50+ tabs without problem (well, sometimes, but better than Chrome).
  • by frovingslosh ( 582462 ) on Saturday November 14, 2015 @08:42PM (#50932837)

    Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.

    Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.

    • OS updates never get pushed. They require effort from both phone manufacturers and carriers, both who have motivation to not bother and encourage new phone purchases.

      Google apps get updated.
      Google Play Services get updated.

      In short, the things that Google can control (their apps, Google play services) actually gets updated. Chrome is an app

  • it shoved an ad on top of a web page i was trying to read. The ad programmer had some fun with it, it would move around when I tried to scroll, and the dismiss box did not do exactly what I wanted. So I took a few minutes to install firefox and adblock. Then I removed the chrome icon from the special real estate on the home screen and replaced it with firefox, and set firefox to default. Goodbye ads!

  • and what Android user doesn't

    I run four 3rd-party apps on my CM12.1-equipped S5 (including Waze and Square Register) and a fucking web browser isn't one of them.

  • heavy use of Google's Chrome web browser (and what Android user doesn't?)

    I have had my Samsung tablet for 2+ years now and I have never used Google's Chrome web browser.

    I use Firefox 35.0.1 with Javascript disabled. Works fine.

    But then I don't use Google Play Store either. I use F-Droid.

    Just the name already - "Play" store. Sounds like something for kids.

  • Who don't use Chrome? Me for example and all those who use Firefox because Chrome is proprietary and even in its free-as-in-freedom Base Chromium could spy you recording voices.

"Let every man teach his son, teach his daughter, that labor is honorable." -- Robert G. Ingersoll
