CVE-2017-16905

An attacker on the same network performs a man-in-the-middle attack by spoofing DNS responses so that tinycards.duolingo.com resolves to the attacker's machine. When the TinyCards app starts, it makes an unencrypted HTTP request to that domain; the attacker intercepts the request and serves arbitrary HTML/JavaScript content instead of the legitimate page. Because the app is a thin WebView wrapper around a remote web application, the injected JavaScript executes within the WebView, achieving what Google's program terms remote code execution [ref_id=1].

The vulnerability exists in the Android WebView-based TinyCards application (version 1.0, version code 9). The app loads its initial web content via an unencrypted HTTP call to tinycards.duolingo.com, which then redirects to HTTPS. Because the initial request is plain HTTP, a man-in-the-middle attacker can intercept and replace the response before the redirect occurs [ref_id=1].

The vendor fixed the issue in version 1.0 (version code 10), released November 20, 2017. According to the advisory, the vendor changed the initial request to use HTTPS, eliminating the unencrypted HTTP call that allowed interception. Users should install the latest version from Google Play Store [ref_id=1]. No patch diff is available in the bundle.

1. Install the TinyCards app on the Android device but do not start it. 2. Install dnsmasq and NGINX on a Linux host. 3. Modify /etc/hosts to map tinycards.duolingo.com to the Linux host's IP. 4. Configure dnsmasq to listen on that IP and restart it. 5. Place malicious content (e.g., `echo powned > /var/www/html/index.html`). 6. Set the Android device's DNS to point to the Linux host. 7. Open the app and observe the injected content [ref_id=1].