Google Glass can be hacked via JavaScript code due to security flaw
It seems that Google Glass is susceptible to MitM (Man in the Middle) hack attacks due to a JavaScript security hole. Recent tests showed that malicious 3rd party Javascript code can be executed on Google's wearable gadget. Any app that is compiled for pre-Jelly Bean versions of Android can exploit 'addJavascriptinterface()' - a function that normally "allows you to inject Java objects into a page's JavaScript context, so that they can be accessed by JavaScript in the page". Unfortunately, the aforementioned function is broken when used under Android 4.1 API 16 or below, which means that wrongdoers can manipulate it and execute maliciuos Java code through WebView without any permission.
The first edition of Google Glass runs Android 4.0.4, which means that the wearable gadget can be easily hacked into if wrongdoers decide to exploit the flaw. According to Google's documentation about the addJavascriptinterface() function, it "is a powerful feature, but also presents a security risk for applications targeted to API level JELLY BEAN or below, because JavaScript could use reflection to access an injected object's public fields". Additionally, the company admits that "use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways".
source: GitHub, Android via AndroidAuthority
"JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety." - the documentation for the function states.
The first edition of Google Glass runs Android 4.0.4, which means that the wearable gadget can be easily hacked into if wrongdoers decide to exploit the flaw. According to Google's documentation about the addJavascriptinterface() function, it "is a powerful feature, but also presents a security risk for applications targeted to API level JELLY BEAN or below, because JavaScript could use reflection to access an injected object's public fields". Additionally, the company admits that "use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways".
MWR Labs, a security company, states that the addJavascriptinterface() issue was discovered back in December 2012. The company also advises all Android users to "remove any and all applications that embed advertisements", because they usually connect to untrusted networks and pose security risks.
source: GitHub, Android via AndroidAuthority
Things that are NOT allowed: