lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAyEnSNcjH=1W5wnTtJs6yqbJCnFHwUPQetaBYDZE=63C3tmEw@mail.gmail.com>
Date: Thu, 27 Jul 2017 23:31:46 -0400
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Chrome for Android Didn’t Use FLAG_SECURE for Credit Card Prefill Settings [CVE-2017-5082]

[Original post:
https://wwws.nightwatchcybersecurity.com/2017/07/27/chrome-for-android-didnt-use-flag_secure-for-credit-card-prefill-settings-cve-2017-5082/]

SUMMARY

Chrome for Android did not use the FLAG_SECURE flag in the credit card
prefills settings, potentially exposing sensitive data to other
applications on the same device with the screen capture permissions.
The vendor (Google) fixed this issue in Chrome M59. Google has
assigned CVE-2017-5082 to track this issue.

DETAILS

Chrome for Android is a version of the Chrome browser for Android
platforms. It used to be part of the Android OS, but is now a separate
application deployed by Google through the Google Play store. Chrome
has a credit card pre-fills section in settings where users can store
credit card information that can be used to pre-fill certain forms.

FLAG_SECURE is a special flag available to Android developers that
prevents a particular screen within an application from being seen by
other application with screen capture permissions, having screenshots
taken by the user, or have the screen captured in the “Recent Apps”
portion of Android OS. We have published an extensive post last year
discussing this feature is and what it does:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

During our testing of various Google mobile applications, we found
that the credit card prefills section in Chrome for Android did not
use FLAG_SECURE to prevent other applications for capturing that
information. By contrast other Google applications like Android Pay
and Google Wallet use this flag to prevent capture of sensitive
information. Exploiting this bug requires user cooperation in
installing a malicious app and activating the actual screen capture
process, thus the likehood of exploitation is low.

To reproduce:
1. Open Chrome.
2. To go Settings, Autofill and payments, Credit Cards.
3. Tap on “Add credit card”.
4. Press Power and volume down to capture screenshot.
5. Confirm that a screenshot can be taken.

All testing was done on Android 7.1.2, security patch level of May
5th, 2017, on Chrome v58.0.3029.83 (stable).

VENDOR RESPONSE

This issue was responsibly reported to the vendor via the Chromium bug
tracker. The vendor fixed this issue in Chrome release M59 and
assigned CVE-2017-5082 to track it.

REFERENCES

CVE ID: CVE-2017-5082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082

Chromium Bug # 721579
https://bugs.chromium.org/p/chromium/issues/detail?id=721579

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-05-11: Initial report to the vendor
2017-05-15: Issue patched by the vendor
2016-05-30: CVE assigned by the vendor
2016-06-05: Fixed version released
2016-07-16: Request for public disclosure sent to the vendor
2017-07-26: Permission to disclose received
2017-07-27: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ