| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jul 2017 23:31:46 -0400 From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com> To: fulldisclosure@...lists.org Subject: [FD] Chrome for Android Didn’t Use FLAG_SECURE for Credit Card Prefill Settings [CVE-2017-5082] [Original post: https://wwws.nightwatchcybersecurity.com/2017/07/27/chrome-for-android-didnt-use-flag_secure-for-credit-card-prefill-settings-cve-2017-5082/] SUMMARY Chrome for Android did not use the FLAG_SECURE flag in the credit card prefills settings, potentially exposing sensitive data to other applications on the same device with the screen capture permissions. The vendor (Google) fixed this issue in Chrome M59. Google has assigned CVE-2017-5082 to track this issue. DETAILS Chrome for Android is a version of the Chrome browser for Android platforms. It used to be part of the Android OS, but is now a separate application deployed by Google through the Google Play store. Chrome has a credit card pre-fills section in settings where users can store credit card information that can be used to pre-fill certain forms. FLAG_SECURE is a special flag available to Android developers that prevents a particular screen within an application from being seen by other application with screen capture permissions, having screenshots taken by the user, or have the screen captured in the “Recent Apps” portion of Android OS. We have published an extensive post last year discussing this feature is and what it does: https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/ During our testing of various Google mobile applications, we found that the credit card prefills section in Chrome for Android did not use FLAG_SECURE to prevent other applications for capturing that information. By contrast other Google applications like Android Pay and Google Wallet use this flag to prevent capture of sensitive information. Exploiting this bug requires user cooperation in installing a malicious app and activating the actual screen capture process, thus the likehood of exploitation is low. To reproduce: 1. Open Chrome. 2. To go Settings, Autofill and payments, Credit Cards. 3. Tap on “Add credit card”. 4. Press Power and volume down to capture screenshot. 5. Confirm that a screenshot can be taken. All testing was done on Android 7.1.2, security patch level of May 5th, 2017, on Chrome v58.0.3029.83 (stable). VENDOR RESPONSE This issue was responsibly reported to the vendor via the Chromium bug tracker. The vendor fixed this issue in Chrome release M59 and assigned CVE-2017-5082 to track it. REFERENCES CVE ID: CVE-2017-5082 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082 Chromium Bug # 721579 https://bugs.chromium.org/p/chromium/issues/detail?id=721579 CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-05-11: Initial report to the vendor 2017-05-15: Issue patched by the vendor 2016-05-30: CVE assigned by the vendor 2016-06-05: Fixed version released 2016-07-16: Request for public disclosure sent to the vendor 2017-07-26: Permission to disclose received 2017-07-27: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists