Now that you've changed all your passwords because of the Heartbleed Bug , here's something else to worry about—your smartphone might be (susceptible) to one of the Web's most common hacks, something called a cross-site scripting attack.
Here's how it works. Let's say you scan a 2-D bar code with your phone. The bar code contains information—including, perhaps, a string of (malicious) JavaScript code. If your bar code reader is a native iPhone or Android app, no problem. But if it's an HTML5 app, which works across platforms, you might be in trouble. Because HTML5 apps run on JavaScript. And some are designed to detect JavaScript in a (jumble) of data—like that bar code—and execute it.
Researchers found five bar code–scanner apps with that vulnerability in the Android marketplace and three in the iPhone app store. They'll present the results at theMobile Security Technologies (workshop) in San Jose in May. [Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps]
HTML5 apps are forecast to (dominate) half the market by 2016. And since bad code can hide in mp3s, photos, texts, even the names of wi-fi networks, researchers say it's time for (developers) to wise-up to this glitch before it goes viral.
