Sandbox bypass in Android Google Admin console revealed

A researcher has unveiled the details of a vulnerability in the console after Google failed to patch the flaw. [UPDATED]
Written by Charlie Osborne, Contributing Writer

[Update 11.34GMT: Google statement added]

A security flaw allows third-party applications to bypass sandbox restrictions in the Google Admin console has been disclosed.

Posted on Full Disclosure on Friday, Rob Miller, senior security researcher, from MWR Labs says the flaw, found within Google's Android Admin application, allows third-party apps to bypass sandbox restrictions and read arbitrary files through symbolic links.

If the console received a URL through an IPC call from another application on the same device, the Android app loads this link in WebView. However, if an attacker used a file:// URL which pointed to a domain they controlled, then it is possible that symbolic links bypass Same Origin Policy and is able to retrieve data out of the Google Admin sandbox.

Therefore, if a third-party app has been installed which is untrusted or malicious, attackers controlling the app will be able to read data out of any file within the Google Admin sandbox.

According to the researcher, the vulnerability can be exploited after setup_url is triggered through a link being sent, which then causes ResetPinActivity to activate WebView under the privileges of the Google Admin console. An attacker can add HTML to these links, such as the inclusion of an iframe -- causing a one-second delay while the file is rendered in WebView. An attacker can then delete this file and replace it with a symbolic link of the same name which points to a file in the console.

As explained by Miller:

"After one second the iframe in the WebView will load the file, which will now point to one of its own files. Because the parent and child frames have the same URL, the Same Origin Policy allows the parent frame to query the contents of the child frame. This means that the HTML that the attacker controls can read from the files loaded into the iframe and extract their data."

The flaw was first submitted to Google on 17 March. On 18 March, the tech giant's security team acknowledged the report and later requested two weeks to develop and release a patch update. In June, MWR Labs requested an update on this release, and later in the same month Google acknowledged the firm had exceeded its own 90-day fix deadline and asked for a delayed public disclosure.

In July, the security company announced its intentions to release the details of the flaw, disclosing the problem on 13 August.

At the time of disclosure, no updated version of the Google Admin application has been released. To reduce the risk of exploit in the interim, devices with Google Admin installed should not install or use any third-party applications which are not trusted.

Google's Project Zero security team is well-known for releasing vulnerabilities in vendor software if a 90-day deadline is either ignored or exceeded. The team has disclosed vulnerabilities concerning Microsoft, Adobe and Apple products.

See also: Microsoft slams Google for spilling the beans on Windows 8.1 security flaw

A Google spokesperson told ZDNet:

"We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected."

Cybersecurity reads which belong on every bookshelf

Read on: Top picks

In pictures:

Editorial standards