Exploit needs to be able to determine the exact path + filename of any file to be stolen.
The securityfocus.com entry referenced above includes a demo script implementing the exploit if you want to see the details.
Just wrap the XHR requests to the local URIs in a try/catch and go fishing for filenames of interest within standard directories.
As mentioned in Cannon's original article, photos would be an easy target given the common location plus filename format for the jpg files
(e.g., /sdcard/DCIM/Camera/IMG_yyyymmdd_hhmmss.jpg). Another interesting directory to poke around in would be /sdcard/Android/data/com.dropbox.android/files/scratch/.
I tweaked the demo script a bit and was able to steal my own dropbox files and photos on my junky little LG Optimus V on Android 2.2.1. Good Times.
http://thomascannon.net/blog/2010/11/android-data-stealing-v...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-480...
http://www.securityfocus.com/bid/48256/info
Exploit needs to be able to determine the exact path + filename of any file to be stolen. The securityfocus.com entry referenced above includes a demo script implementing the exploit if you want to see the details. Just wrap the XHR requests to the local URIs in a try/catch and go fishing for filenames of interest within standard directories. As mentioned in Cannon's original article, photos would be an easy target given the common location plus filename format for the jpg files (e.g., /sdcard/DCIM/Camera/IMG_yyyymmdd_hhmmss.jpg). Another interesting directory to poke around in would be /sdcard/Android/data/com.dropbox.android/files/scratch/. I tweaked the demo script a bit and was able to steal my own dropbox files and photos on my junky little LG Optimus V on Android 2.2.1. Good Times.