lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 7 May 2016 14:35:30 +0300
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] WheresMyDroid Android App issues

Brief
=====
Android App WheresMyDroid (10M - 50M installations) allows a malicious
user to perform the following:

- Take silent camera photos, automatically uploading them.

- Getting the GPS location.

- Possibly wiping the phone, locking and unlocking the device.

- Upgrading the App to the Pro version.

These are all possible via SMS messages.


Disclosure timeline

===================

April 20th, 2016: discovered issues.
April 21st, 2016: contacted App developers with no response.
May 1st, 2016: tried to contact App developers for the second time.
May 7th, 2016: public disclosure.

Technical details

=================

The WheresMyDroid Android App listens to SMS messages and acts
according to their content.

Some operations (checking whether the App is running and upgrading to
Pro) are hard-coded, while others have weak default values.


More technical information and blog entry
==============================
securitygodmode.blogspot.com/2016/05/android-attack-surfaces-part-i.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ