lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 1 Jul 2013 21:46:52 +0100
From: Pulser on XDA <pulser@...-developers.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Skype for Android Lockscreen Bypass

Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various
Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G

The Skype for Android application appears to have a bug which permits the
Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed
relatively easily, if the device is logged into Skype, and the "attacker"
is able to call the "victim" on Skype.

This can be reproduced as follows with 2 Skype accounts, and 2 separate
devices to use with Skype. The target phone is presumed to have an Android
lockscreen configured and in use, and to be locked during the test.

   1. Initiate a Skype call to the target device, which will cause it to
   wake, ring, and display a prompt on the screen to answer or reject the call
   2. Accept the call from the target device using the green answer button
   on the screen
   3. End the call from the initiating device (ie. the device used to call
   the target phone)
   4. The target device will end the call, and should display the
   lockscreen.
   5. Turn off the screen of the target device using the power key, and
   turn it on again
   6. The lockscreen will now be bypassed. It will remain bypassed until
   the device is rebooted

Similar to (ironically enough):
http://arstechnica.com/security/2013/04/crital-app-flaw-bypasses-screen-lock-on-up-to-100-million-android-phones/.
Seems that internet based calling apps might well be "unlucky".

Thanks to Emilio López for originally bringing this to my attention

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ