Universal XSS in Android WebView (CVE-2020-6506)

September 10, 2020 about Vulnerabilities, Android, UXSS, CVE-2020-6506 1. Summary 2. Android WebView at a glance 3. CVE-2020-6506 vulnerability details 4. Impacts and attack launch surfaces 5. How to identify vulnerable apps 1. Proof of concepts 2. Pitfalls when testing 3. Difficulties with repro? 6. Potential mitigations 1. Android applications and frameworks 2. Websites 3. Android Users 7. Affected vendors 1. Mitigated 2. Pending mitigations 3. Will not mitigate 8. Videos 1. PoC 1: Tap interaction 2. PoC 2: Keypress interaction 9. Related links

Android WebView at a glance

Android WebView is a system component which allows Android apps to display webpages. Apps typically use Android WebView directly or viaframeworks/libraries.The version of Android WebView used by an app is tied to the version ofAndroid WebView installed in the system, and is updatable via the Google PlayStore like any other app and many other system components. Modern versions ofAndroid WebView are not tied to an Android operating system version or anapplication build.With few exceptions, most third-party browsers on Android use WebViews torender pages, making it an interesting attack surface. A vulnerability inWebView could affect all these third-party browsers, in addition to many otherapps.While Android WebView uses Chromium under the hood, some vulnerabilitiesprevented by Chrome for Android may still work in WebViews under certainconfigurations. CVE-2020-6506 is an example of such a vulnerability.

