CVE-2019-0219
📋 TL;DR
This vulnerability allows malicious websites loaded in Cordova's InAppBrowser on Android to execute arbitrary JavaScript in the main application's webview via specially crafted gap-iab: URIs. This affects Android applications built with Apache Cordova that use the InAppBrowser plugin, potentially enabling attackers to steal sensitive data or perform unauthorized actions within the app context.
💻 Affected Systems
- Apache Cordova
- Apache Cordova InAppBrowser Plugin
- Applications using Cordova InAppBrowser on Android
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Android application's webview context, allowing theft of authentication tokens, session cookies, and sensitive user data, potentially leading to account takeover and data exfiltration.
Likely Case
Attackers could inject malicious JavaScript to steal session information, manipulate application behavior, or redirect users to phishing sites while appearing to be within the legitimate app.
If Mitigated
With proper input validation and URI scheme restrictions, the attack surface is significantly reduced, though the underlying vulnerability remains until patched.
🎯 Exploit Status
Exploitation requires tricking users into visiting a malicious website within the InAppBrowser, but the actual exploit is straightforward once that condition is met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Cordova InAppBrowser plugin version 3.2.0 and later
Vendor Advisory: https://cordova.apache.org/announcements/2019/11/28/inappbrowser-release.html
Restart Required: Yes
Instructions:
1. Update the Cordova InAppBrowser plugin to version 3.2.0 or later using: cordova plugin rm cordova-plugin-inappbrowser && cordova plugin add cordova-plugin-inappbrowser@latest
2. Rebuild and redeploy the Android application.
3. Test the application to ensure InAppBrowser functionality still works correctly.
🔧 Temporary Workarounds
Disable InAppBrowser gap-iab scheme
allModify the application to disable or restrict the gap-iab URI scheme in InAppBrowser configurations
Modify config.xml: <preference name="scheme" value="https" />
Or modify InAppBrowser initialization to restrict allowed schemes
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use WebViewClient.shouldOverrideUrlLoading() to validate and block malicious gap-iab: URIs
🔍 How to Verify
Check if Vulnerable:
Check the Cordova InAppBrowser plugin version in config.xml or plugins/cordova-plugin-inappbrowser/package.json. If version is < 3.2.0, the application is vulnerable.Check Version:
cordova plugin list | grep inappbrowserVerify Fix Applied:
Verify the plugin version is 3.2.0 or higher and test that InAppBrowser functionality works without allowing gap-iab: URI execution in the main webview.📡 Detection & Monitoring
Log Indicators:
- Unusual gap-iab: URI patterns in webview logs
- JavaScript execution errors from unexpected sources in main webview
Network Indicators:
- Requests to malicious domains from within InAppBrowser
- Unexpected data exfiltration from the application
SIEM Query:
webview_logs WHERE uri CONTAINS 'gap-iab:' AND NOT uri CONTAINS 'expected-domain.com'🔗 References
- http://www.openwall.com/lists/oss-security/2019/11/28/1
- https://lists.apache.org/thread.html/197482d5ab80c0bff4a5ec16e1b0466df38389d9a4b5331d777f14fc%40%3Cdev.cordova.apache.org%3E
- https://lists.apache.org/thread/4vtg0trdrh5203dktt4f3vkd5z2d5ndj
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://www.openwall.com/lists/oss-security/2019/11/28/1
- https://lists.apache.org/thread.html/197482d5ab80c0bff4a5ec16e1b0466df38389d9a4b5331d777f14fc%40%3Cdev.cordova.apache.org%3E
- https://lists.apache.org/thread/4vtg0trdrh5203dktt4f3vkd5z2d5ndj
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
