An attack would have to add an app -- perhaps just a non-functional placeholder -- to exploit the bug. But that's easy.
"It's been shown, by me and others, that its not hard to get an app into the Android Market, with little trace of evidence that it's malicious," said Oberheide. "It's not very difficult."
Although Oberheide was slated to try his hand at Pwn2Own for the first time, he has experience finding flaws in Android Market. Last June, he published a pair of apps to the e-store as part of his research into vulnerabilities that let attackers push malware to Android phones.
Then, Google yanked the apps from the Market and triggered its "kill switch" that automatically uninstalled the programs from users' phones, saying that Oberheide had "intentionally misrepresented their purpose in order to encourage user downloads."
Google threw the kill switch for only the second time last weekend when it started to delete more than 50 malware-infected apps from Android phones.
Oberheide immediately reported his newest XSS bug to Google, a move he now has cause to regret. "I didn't think it would qualify for Pwn2Own...and even if it did qualify, it was such low-hanging fruit it probably wouldn't survive until the contest," he said.
Turns out, neither assumption was correct.
"I should have waited until I heard from Pwn2Own whether it qualified for the contest," he said Monday. "If I had just waited 24 hours before reporting it to Google.... So yeah, I killed my own Pwn2Own bug."
Google patched the XSS vulnerability in Android Market a week ago.
Yesterday, Oberheide said he had tentatively canceled his participation at Pwn2Own. "Unless I can dig up a new XSS in the Android Market, I won't be playing," he said. He's been unsuccessful so far in his hunt for a new vulnerability.
Pwn2Own, which is sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, runs March 9-11, and offers $125,000 in cash prizes to researchers who hack into the four biggest browsers and four smartphones, each of the latter running a different mobile operating system.
Oberheide's final word to researchers who want to learn a lesson from his experience?
"Don't be stupid with your disclosures," he said.