Do not use web.airdroid.com until they release a statement regarding the .XSS vulnerability.
Here's a post from a year and a half ago from Threat Post: http://threatpost.com/android-airdroid- ... 0813/77707
"According to a warning on the US-CERTâs Vulnerability Notes Database this morning, if an attacker was able to get access to a phone with AirDroid installed, theyâd be able to send a malicious text message to the browser associated with the account. Once that message is brought up on the browser, the attacker could execute an XSS attack which in turn could lead to a slew of problems, including information leakage, privilege escalation and denial of service on the compromised machine.
"Apparently the problem is that AirDroidâs web interface, web.airdroid.com, doesnât properly sanitize the code itâs sent via text messages."
Sounds like I'm using it on my home wifi only. Too bad, I'd love to have the theft-recovery feature of being able to track it if lost.
According
to a warning on the US-CERTâs Vulnerability Notes Database this
morning, if an attacker was able to get access to a phone with AirDroid
installed, theyâd be able to send a malicious text message to the
browser associated with the account. Once that message is brought up on
the browser, the attacker could execute an XSS attack which in turn
could lead to a slew of problems, including information leakage,
privilege escalation and denial of service on the compromised machine. -
See more at:
http://threatpost.com/android-airdroid- ... FGJSM.dpuf
Here's a post from a year and a half ago from Threat Post: http://threatpost.com/android-airdroid- ... 0813/77707
"According to a warning on the US-CERTâs Vulnerability Notes Database this morning, if an attacker was able to get access to a phone with AirDroid installed, theyâd be able to send a malicious text message to the browser associated with the account. Once that message is brought up on the browser, the attacker could execute an XSS attack which in turn could lead to a slew of problems, including information leakage, privilege escalation and denial of service on the compromised machine.
"Apparently the problem is that AirDroidâs web interface, web.airdroid.com, doesnât properly sanitize the code itâs sent via text messages."
Sounds like I'm using it on my home wifi only. Too bad, I'd love to have the theft-recovery feature of being able to track it if lost.
According
to a warning on the US-CERTâs Vulnerability Notes Database this
morning, if an attacker was able to get access to a phone with AirDroid
installed, theyâd be able to send a malicious text message to the
browser associated with the account. Once that message is brought up on
the browser, the attacker could execute an XSS attack which in turn
could lead to a slew of problems, including information leakage,
privilege escalation and denial of service on the compromised machine. -
See more at:
http://threatpost.com/android-airdroid- ... FGJSM.dpuf