| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANJpe12nPKVK_J8Lye4ZzeKz=kRH-+HjdLhsCAjArpm=Cjkb+g@mail.gmail.com> Date: Sat, 7 May 2016 14:35:30 +0300 From: 0x3d5157636b525761 iddqd <0x3d5157636b525761@...il.com> To: fulldisclosure@...lists.org Subject: [FD] WheresMyDroid Android App issues Brief ===== Android App WheresMyDroid (10M - 50M installations) allows a malicious user to perform the following: - Take silent camera photos, automatically uploading them. - Getting the GPS location. - Possibly wiping the phone, locking and unlocking the device. - Upgrading the App to the Pro version. These are all possible via SMS messages. Disclosure timeline =================== April 20th, 2016: discovered issues. April 21st, 2016: contacted App developers with no response. May 1st, 2016: tried to contact App developers for the second time. May 7th, 2016: public disclosure. Technical details ================= The WheresMyDroid Android App listens to SMS messages and acts according to their content. Some operations (checking whether the App is running and upgrading to Pro) are hard-coded, while others have weak default values. More technical information and blog entry ============================== securitygodmode.blogspot.com/2016/05/android-attack-surfaces-part-i.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists