MR – stock.adobe.com
Android mobile application developers, including those working on some of the world’s most prominent dating apps, have been rushing to apply a delayed patch to a critical flaw in the Google Play Core library – a critical element in the process of pushing app updates and new features live – that potentially left millions of mobile users exposed to compromise.
The bug in question, CVE-2020-8913, is a local, arbitrary code execution vulnerability, which could have let attackers create an Android Package Kit (APK) targeting an app that enables them to execute code as the targeted app, and ultimately access the target’s user data.
It was patched by Google earlier in 2020, but because it is a client-side vulnerability, rather than a server-side vulnerability, it cannot be mitigated in the wild unless app developers update their Play Core libraries.
Last week, researchers at Check Point revealed a number of popular apps were still open to exploitation of CVE-2020-8913, and informed the companies behind them.
The unpatched apps included Booking, Bumble, Cisco Teams, Microsoft Edge, Grindr, OkCupid, Moovit, PowerDirector, Viber, Xrecorder and Yango Pro. Between them, these apps have accrued over 800,000,000 downloads, and many more are certainly affected. Of those, Grindr, Booking, Cisco Teams, Moovit and Viber have now confirmed the issue has been fixed.
A Grindr spokesperson told Computer Weekly: “We are grateful for the Check Point researcher who brought the vulnerability to our attention. On the same day that the vulnerability was brought to our attention, our team quickly issued a hotfix to address the issue.
“As we understand it, in order for this vulnerability to have been exploited, a user must have been tricked into downloading a malicious app onto their phone that is specifically tailored to exploit the Grindr app.
“As part of our commitment to improving the safety and security of our service, we have partnered with HackerOne, a leading security firm, to simplify and improve the ability for security researchers to report issues such as these. We provide an easy vulnerability disclosure page through HackerOne that is monitored directly by our security team.
“We will continue to enhance our practices to proactively address these and similar concerns as we continue our commitment to our users,” they said.
Aviran Hazum, Check Point’s manager of mobile research, said it estimated that hundreds of millions of Android owners remained at risk.
“The vulnerability CVE-2020-8913 is highly dangerous,” said Hazum. “If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.
“Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM [instant messaging] apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination,” said Hazum.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please login.
You have exceeded the maximum character limit.
Please provide a Corporate E-mail Address.
Please check the box if you want to proceed.
Please check the box if you want to proceed.
By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.
CIO dashboards can be a vital tool for assessing metrics in real time to gain insight on IT performance and support better …
The business response to COVID-19 has accelerated technology adoption, making emerging technologies a more accessible and …
The Open Group is teaming up with a United Nations agency on best practices, guides and standards to show resource-strapped …
The NSA issued a cybersecurity advisory warning government agencies to mitigate as soon as possible, as the vulnerability was …
Now hiring: As organizations increasingly favor proactive cyber threat hunting and detection over bare-bones prevention, SecOps …
SecOps tools offer many capabilities to address common threats enterprises face, including domain name services, network …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
In any multi-tenant IT environment, noisy neighbors can be an issue. Here’s a closer look at how the challenges differ in the …
Use this data center selection checklist to make fair and comprehensive comparisons between colocation data center providers …
One offers more control, while the other offers more flexible space. If you’re considering a colocation facility, how do you …
Collibra CEO discusses the importance of data governance for enterprises and how to tie data governance to business terminology …
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
