AirDroid gives Android users complete control of their mobile device from a laptop or desktop, but an attacker could take over that control by sending a malicious link to a user. Once clicked from a computer logged into web.airdroid.com, the attacker could control the Android device connected to the web interface. Any browser logged into the portal is affected, Matt Bryant, of Bishop Fox Security, told SCMagazine.com a Friday email.
“AirDroid Version 3.0.4 and earlier versions' web applications use JSON with padding (JSONP) for performing cross-origin requests,” Bryant wrote in an advisory. “Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality.”