{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webview/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw Android application"],"_cs_severities":["high"],"_cs_tags":["android","webview","rce"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eThe OpenClaw Android application, specifically versions prior to 2026.3.22, contains a vulnerability that allows for arbitrary code execution. This flaw stems from insufficient validation of the origin of requests made to the JavascriptInterface bridge within Android Canvas WebView pages. An attacker could potentially exploit this by serving malicious content via a compromised or untrusted website loaded in the WebView. This allows the attacker to bypass security restrictions and inject arbitrary instructions directly into the application's context. The vulnerability was reported by @cyjhhh and a fix was implemented in version 2026.3.22. Defenders should ensure all OpenClaw Android applications are updated to version 2026.3.22 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious webpage containing JavaScript code designed to exploit the WebView's JavascriptInterface.\u003c/li\u003e\n\u003cli\u003eThe user opens the OpenClaw Android application and navigates to the CanvasScreen, which loads the attacker's malicious webpage within a WebView.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code within the WebView attempts to invoke methods exposed through the JavascriptInterface bridge.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sufficient origin validation in versions prior to 2026.3.22, the JavascriptInterface bridge incorrectly processes the attacker's commands.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts specific instructions through the bridge to execute arbitrary code within the OpenClaw application's context.\u003c/li\u003e\n\u003cli\u003eThis could lead to the installation of malware, data exfiltration, or other malicious actions depending on the permissions granted to the OpenClaw application.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-injected code, granting the attacker control within the app's sandbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code within the OpenClaw Android application. This could lead to data theft, credential compromise, or potentially lateral movement to other applications or systems accessible from the compromised device. The number of affected users depends on the adoption rate of vulnerable OpenClaw versions, but the impact is high due to the potential for complete compromise of the application and its data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the OpenClaw npm package to version 2026.3.22 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected network activity originating from devices running older versions of OpenClaw, as this may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing network-level restrictions to prevent the OpenClaw application from accessing untrusted or known malicious websites.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T18:00:00Z","date_published":"2024-01-11T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-webview-rce/","summary":"The openclaw npm package before version 2026.3.22 is vulnerable to arbitrary code execution, where an attacker could inject instructions into the app by invoking the JavascriptInterface bridge from untrusted origins within Android Canvas WebView pages.","title":"OpenClaw Android App Vulnerable to Arbitrary Code Execution via WebView JavascriptInterface","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-webview-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Webview","version":"https://jsonfeed.org/version/1.1"}