Google Glass Hacked Already? Exploit Exists With JavaScript

February 7, 2014 - Written By Patrick Northcraft

Google Glass has to be the most interesting product that has yet to actually be a consumer good.  It has yet to even go on the market, and yet we have heard it all:  legal issues, new models, you name it.  It will be interesting to see what happens to Glass when it actually goes on the market later this year.  For now, we have a new interesting tidbit of information… Glass can be hacked.  Glass runs on Android, and there is a security vulnerability that allows for potential attackers to create and launch arbitrary code (which means, for those of you without programming knowledge, their own code) on apps that were compiled against the Android 4.1 Jelly Bean API.  The specific function in question is the addJavascriptInterface(), which exists to allow for Java code to  accessed on a limited basis from JavaScript.  In an API level 16 or below, all an app needs to do to exploit this security hole is to create a WebView and then access the run code that activates the broken JavaScript function.

But what does that all mean in English?  Well, a lot of free apps out there like to use WebView to display HTML (online content and advertising) on their apps.  If the HTML content is altered by a change in the coding, then the app may not display what the developer had intended, and it could even result in you being taken to a site with malicious material, worst comes to worst.  As most free apps out there rely on ads to bring in revenue, this problem is not as minor as you might think.  Since Glass runs very similarly to Android, this exploit is possible on there as well.

MWR Labs, a security company, published a report near the end of last year that stated:  “We have analysed a large number of advertising network SDK’s and found that a lot of these implement bridges that are vulnerable to exploitation. Some advertising network SDK’s obtained from the advertising networks directly were found to not be vulnerable (in their most recent versions). However a lot of applications on the ‘Google Play Store’ were found to be using old versions of the SDK’s, which are vulnerable.”  While this isn’t the biggest reason to fret, hopefully Google starts to work on a solution sooner rather than later for all the apps that are still running on the vulnerable SDK.  What do you think?  Let us know any thoughts or comments you have down below!