Mercury Browser for Android RCE Redux

Overview In my previous post about this browser, I have already covered how you can abuse the insecure parsing of the Intent URI scheme into invoking the private WiFi Manager feature. I also described how you can exploit a path traversal vulnerability in the custom web server used by the…

Same Sh*t Different Android Browser

Overview I have been researching Android web browsers quite a bit over the last year, and have made some interesting discoveries. One of those discoveries has been the complete lack of understanding on how to securely implement the use of the Intent URI scheme. Vulnerabilities that stem from insecurely parsing…

Exploiting the Mercury Browser for Android

Overview The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the…