[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSOx0BibBOO3ZBDNrGYZgjbU51oCeEenuw7A2OT22VrH_Q@mail.gmail.com>
Date: Tue, 18 Jul 2017 16:57:58 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Google’s Android News and Weather App Doesn’t Always Use SSL [CVE-2017-9245]
[Blog post here:
https://wwws.nightwatchcybersecurity.com/2017/07/18/advisory-googles-android-news-and-weather-app-doesnt-always-use-ssl-cve-2017-9245/]
SUMMARY
Google News and Weather Application for Android does not use SSL for
some server calls, exposing authentication tokens (OAuth) to anyone
monitoring the network. It is not clear if the tokens belong to the
user’s account or a service account. The vendor (Google) fixed the
issue in v3.3.1 of the application and users should install the latest
version. MITRE has assigned CVE-2017-9245 to track this issue.
DETAILS
The Google News and Weather application for Android is an application
developed by Google which aggregates news from multiple sources. This
application was originally included as part of the stock Android
operating system but was separated into its own application around
August 2014.
While performing network level testing of various Google applications,
we discovered that some of the calls made by the application to
Google’s server did not use SSL. Furthermore, analysis of the captured
traffic showed that an authentication token (OAuth) was sent as part
of those calls, thus exposing it to an attacker that is monitoring the
network. It is not clear from our testing whether this token belonged
to the user using the application, or was some sort of a service
account.
We also did not test earlier versions of the application, so it is
also unclear whether this issue affects older versions of Android
where this is part of the stock operating system.
To replicate the issue on v3.1.4:
1. Install the application and open it.
2. Flick away the application.
3. Setup the proxy without an SSL certificate and point the Android
device to it.
4. Go back to the application and select any news feed, and then click
on a news article from a site that doesn’t use SSL.
5. Go back to the proxy and observe captured traffic.
All testing was done on Android 7 and application v3.1.4. Network
captures were performed using an on-device proxy (PacketCapture)
without a trusted SSL certificate.
VENDOR RESPONSE
This issue was responsibly reported to the vendor and fixed in version
3.3.1 which was released in late June 2017. It is not clear if older
versions of Android that include this as part of the OS are affected
and/or fixable.
REFERENCES
CVE ID: CVE-2017-9245
BOUNTY INFORMATION
This bug satisfied the rules of the Google Vulnerability Reward
Program (VRP) program and a bounty was paid.
CREDITS
Advisory written by Yakov Shafranovich.
TIMELINE
2017-05-11: Initial report to the vendor
2017-05-11: Report triaged by the vendor and bug filed
2017-05-26: Bounty decision received from vendor
2017-06-29: Fixed version released by the vendor
2017-07-12: Fixed version tested to confirm the fix
2017-07-12: Draft advisory sent to vendor for comment
2017-07-18: Public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists