Smartphones Vulnerable to App Attack
二维码有多方便,就有多危险
Certain HTML5 apps that run across platforms can carry JavaScript attack codes that your smartphone will happily execute. Christopher Intagliata reports
某些HTML5平台应用会自动运行JAVA代码,你的手机很可能会因此受到攻击。
撰文/播音 克里斯托弗•因塔利亚塔(Christopher Intagliata)
翻译 李轩
Now that you've changed all your passwords because of the Heartbleed Bug (right?), here's something else to worry about—your smartphone might be susceptible to one of the Web's most common hacks, something called a cross-site scripting attack.
OpenSSL爆出了安全漏洞Heartbleed,你是否已经因此改换了所有的密码?千万别放松警惕,你的智能手机很可能还会遭受一种最常见的网络攻击,即“跨站脚本攻击”(cross-site scripting attack)。
Here's how it works. Let's say you scan a 2-D bar code with your phone. The bar code contains information—including, perhaps, a string of malicious JavaScript code. If your bar code reader is a native iPhone or Android app, no problem. But if it's an HTML5 app, which works across platforms, you might be in trouble. Because HTML5 apps run on JavaScript. And some are designed to detect JavaScript in a jumble of data—like that bar code—and execute it.
为什么会这样说?打个比方,当你用手机扫描二维码时,很有可能扫描到一串恶意的JAVA代码。如果你的二维码扫描软件是苹果或者安卓手机自带的,那么什么问题也没有;但是,如果你用的是一个HTML5跨平台软件,麻烦就大了——HTML5软件会运行JAVA代码。有些软件,甚至还可以专门从一大堆数据中找到,并运行隐藏的JAVA代码。
Researchers found five bar code–scanner apps with that vulnerability in the Android marketplace and three in the iPhone app store. They'll present the results at the Mobile Security Technologies workshop in San Jose in May. [Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps]
研究人员分别在安卓市场与App Store中发现了5款与3款有这一漏洞的手机软件。今年5月,这一结果将发表在圣何塞的“手机安全科技研讨会”(Mobile Security Technologies workshop)上。
HTML5 apps are forecast to dominate half the market by 2016. And since bad code can hide in mp3s, photos, texts, even the names of wi-fi networks, researchers say it's time for developers to wise-up to this glitch before it goes viral.
预计到2016年,市场上约有一半的应用会是HTML5应用。恶意代码可以隐藏在音乐、图片、文本甚至wi-fi热点的名称里。研究人员认为,现在是开发商提高警惕的时候了,一定要将这个漏洞扼杀在摇篮里。
(题图来源:环球科学)
京公网安备11010502039775号
信息网络传播视听节目许可证0111611号
国家科技基础条件平台
