what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Android OS FLAG_SECURE Information Disclosure

Android OS FLAG_SECURE Information Disclosure
Posted May 25, 2018
Authored by Yakov Shafranovich | Site wwws.nightwatchcybersecurity.com

Android OS did not use the FLAG_SECURE flag for sensitive settings, potentially exposing sensitive data to other applications on the same device with the screen capture permissions. The vendor (Google) fixed this issue in 2018-02-01 Pixel security update.

tags | exploit, info disclosure
advisories | CVE-2017-13243
SHA-256 | 419aa59f60c639bf9769fc664825bf713bf20d2a125449f8cf156e98eb09bb86

Android OS FLAG_SECURE Information Disclosure

Change Mirror Download
[Blog post here:
https://wwws.nightwatchcybersecurity.com/2018/05/24/android-os-didnt-use-flag_secure-for-sensitive-settings-cve-2017-13243/]

SUMMARY

Android OS did not use the FLAG_SECURE flag for sensitive settings,
potentially exposing sensitive data to other applications on the same
device with the screen capture permissions. The vendor (Google) fixed
this issue in 2018-02-01 Pixel security update. Google has assigned
CVE-2017-13243 to track this issue.

DETAILS

Android OS is a mobile operating systems for phones and tablets
developed by Google. The OS has multiple screens where sensitive
information maybe shown such as the device lock screen, passwords in
the WiFi settings, pairing codes for Bluetooth, etc.

FLAG_SECURE is a special flag available to Android developers that
prevents a particular screen within an application from being seen by
other application with screen capture permissions, having screenshots
taken by the user, or have the screen captured in the Recent Apps
portion of Android OS. We have published an extensive post last year
discussing this feature is and what it does:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

During our testing of various Google mobile applications, we found
that the lock screen, password entry screen for WiFi, and the screen
for entering pairing codes for Bluetooth devices did not use
FLAG_SECURE to prevent other applications for capturing that
information. By contrast other Google applications like Android Pay
and Google Wallet use this flag to prevent capture of sensitive
information. Exploiting this bug requires user cooperation in
installing a malicious app and activating the actual screen capture
process, thus the likelihood of exploitation is low.

To reproduce:
1. Lock the device, OR go to WiFi settings and try to add a network,
or try to pair a Bluetooth device.
2. Press Power and volume down to capture screenshot.
3. Confirm that a screenshot can be taken.

All testing was done on Android 7.1.2, security patch level of May
5th, 2017, on Nexus 6P. Vulnerable versions of Android include: 5.1.1,
6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0.

VENDOR RESPONSE

This issue was responsibly reported to the vendor and was fixed in the
2018-02-01 Pixel bulletin. The vendor assigned CVE-2017-13243 to track
this issue.

BOUNTY INFORMATION

This issue satisfied the requirements of the Android Security Rewards
program and a bounty was paid.

REFERENCES

Android ID # A-38258991
CVE ID: CVE-2017-13243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243
CVSS scores: 7.5 (CVSS v3.0) / 5.0 (CVSS v2.0)
Google Bug # 38254822
Google Pixel Bulletin: 2018-02-1
https://source.android.com/security/bulletin/pixel/2018-02-01

CREDITS

Advisory written by Yakov Shafranovich.

TIMELINE

2017-05-12: Initial report to the vendor
2017-06-15: Follow-up information sent to the vendor
2017-06-19: Follow-up communication with the vendor
2018-01-02: Vendor communicates plan to patch this issue
2018-01-29: Bounty reward issued
2018-02-01: Vendor publishes a patch for this issue
2018-05-24: Public disclosure / advisory published
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close