lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSOx0BibBOO3ZBDNrGYZgjbU51oCeEenuw7A2OT22VrH_Q@mail.gmail.com>
Date: Tue, 18 Jul 2017 16:57:58 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Google’s Android News and Weather App Doesn’t Always Use SSL [CVE-2017-9245]

[Blog post here:
https://wwws.nightwatchcybersecurity.com/2017/07/18/advisory-googles-android-news-and-weather-app-doesnt-always-use-ssl-cve-2017-9245/]

SUMMARY

Google News and Weather Application for Android does not use SSL for
some server calls, exposing authentication tokens (OAuth) to anyone
monitoring the network. It is not clear if the tokens belong to the
user’s account or a service account. The vendor (Google) fixed the
issue in v3.3.1 of the application and users should install the latest
version. MITRE has assigned CVE-2017-9245 to track this issue.

DETAILS

The Google News and Weather application for Android is an application
developed by Google which aggregates news from multiple sources. This
application was originally included as part of the stock Android
operating system but was separated into its own application around
August 2014.

While performing network level testing of various Google applications,
we discovered that some of the calls made by the application to
Google’s server did not use SSL. Furthermore, analysis of the captured
traffic showed that an authentication token (OAuth) was sent as part
of those calls, thus exposing it to an attacker that is monitoring the
network. It is not clear from our testing whether this token belonged
to the user using the application, or was some sort of a service
account.

We also did not test earlier versions of the application, so it is
also unclear whether this issue affects older versions of Android
where this is part of the stock operating system.

To replicate the issue on v3.1.4:

1. Install the application and open it.
2. Flick away the application.
3. Setup the proxy without an SSL certificate and point the Android
device to it.
4. Go back to the application and select any news feed, and then click
on a news article from a site that doesn’t use SSL.
5. Go back to the proxy and observe captured traffic.

All testing was done on Android 7 and application v3.1.4. Network
captures were performed using an on-device proxy (PacketCapture)
without a trusted SSL certificate.

VENDOR RESPONSE

This issue was responsibly reported to the vendor and fixed in version
3.3.1 which was released in late June 2017. It is not clear if older
versions of Android that include this as part of the OS are affected
and/or fixable.

REFERENCES

CVE ID: CVE-2017-9245

BOUNTY INFORMATION

This bug satisfied the rules of the Google Vulnerability Reward
Program (VRP) program and a bounty was paid.

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-05-11: Initial report to the vendor
2017-05-11: Report triaged by the vendor and bug filed
2017-05-26: Bounty decision received from vendor
2017-06-29: Fixed version released by the vendor
2017-07-12: Fixed version tested to confirm the fix
2017-07-12: Draft advisory sent to vendor for comment
2017-07-18: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ