Now that you've changed all your passwords because of the Heartbleed Bug (right?), here's something else to worry about—your smartphone might be susceptible to one of the Web's most common hacks, something called a cross-site scripting attack.
Here's how it works. Let's say you scan a 2-D bar code with your phone. The bar code contains information—including, perhaps, a string of malicious JavaScript code. If your bar code reader is a native iPhone or Android app, no problem. But if it's an HTML5 app, which works across platforms, you might be in trouble. Because HTML5 apps run on JavaScript. And some are designed to detect JavaScript in a jumble of data—like that bar code—and execute it.
Researchers found five bar code–scanner apps with that vulnerability in the Android marketplace and three in the iPhone app store. They'll present the results at the Mobile Security Technologies workshop in San Jose in May. [Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps]
HTML5 apps are forecast to dominate half the market by 2016. And since bad code can hide in mp3s, photos, texts, even the names of wi-fi networks, researchers say it's time for developers to wise-up to this glitch before it goes viral.
—Christopher Intagliata
