New vulnerabilities have been discovered in Android and Google Photos, allowing users to steal data
Recently, researchers have discovered two unrelated vulnerabilities in Google products. Imperva has found a way to carry out an attack on third-party channels on Google Photos, which allows attackers to collect information about the location, time and information from personal accounts. Another vulnerability found by Positive Technologies is a more dangerous exploit for Android. It also allows you to get user data.
Because Google’s products are very popular, such vulnerabilities can affect hundreds of millions of users. As of May 2017, Google Photos had over 500 million users . Android, meanwhile, supports more than 2 billion devices, although the number of vulnerable ones is smaller, since the security vulnerability in question appeared only in Android KitKat .
Vulnerability found in the web version of Google Photos, allows to obtain data of the place where the picture was taken, as well as other metadata about the photo. Ron Masas from Imperva wrote a blog post about the problem and how he found it in detail.
Now about Android:
A press release from Positive Technologies states that the discovered vulnerability ( CVE-2019-5765 ) affects Android 4.4 and later versions, and WebView is to blame. On its developer site, Google explains that “WebView is useful when you need enhanced control over the user interface and advanced configuration options that will allow you to embed web pages in a specially designed environment for your application.”
Since WebView is part of the Chromium mechanism, Positive Technologies has stated that any Chromium-based browser is vulnerable. Google Chrome is more popular, but the Samsung browser, and the Yandex browser, and other browsers based on Chromium (that is, almost everything except FF?) Are also under threat.
Lee-Ann Galloway from Positive Technologies spoke about the attack: “The most obvious attack scenario includes little-known third-party applications. After an update containing a malicious payload, such applications can read information from a WebView. ” She said that attackers would gain access to the user's browser history, authentication tokens, headers, and more.
But there is also good news - the vulnerabilities have already been fixed:
Vulnerability in Google Photos has already been fixed. A simple update of the Chrome browser should eliminate any threat related to the WebView problem for users of Android 7.0 or later, since the bug was fixed in Chrome 72 (released in January). Users of earlier versions of Android will need to update WebView via Google Play.
Because Google’s products are very popular, such vulnerabilities can affect hundreds of millions of users. As of May 2017, Google Photos had over 500 million users . Android, meanwhile, supports more than 2 billion devices, although the number of vulnerable ones is smaller, since the security vulnerability in question appeared only in Android KitKat .
Vulnerability found in the web version of Google Photos, allows to obtain data of the place where the picture was taken, as well as other metadata about the photo. Ron Masas from Imperva wrote a blog post about the problem and how he found it in detail.
In simple words: Due to the fact that you can get the execution time of any search query in Photos, you can get the query execution time, which gives a zero result. Accordingly, it is possible to measure the time of the request for the word "Russia", and if the time for performing the search is different from the time of the zero request, then the person was in Russia.
In more detail - under the spoiler
Google Photos uses the metadata of your images along with machine learning to create an array of information. For example, he can recognize your son’s face in a photo and automatically tag it on each image in which he appears, even if he grows and changes over the years - it doesn't matter whether he smiles, frowns, or does not even look directly at the camera. - I myself actively use Photos, well, just very convenient). Pictures taken using the phone are labeled with accurate geographic location information (note of the translator - if geo is enabled on the phone itself). If you upload additional photos taken with a digital SLR camera that does not automatically geotag images, the engine will still be able to make a reasonable assumption of location based on context.
')
Much of this information is searchable in your Google Photos account, and Masas has found a way to use third-party attack to use it. “After some trial and error, I discovered that the Google Photos search endpoint was vulnerable to attack,” he writes. “I used the HTML link tag to create multiple cross-queries for the Google Photo search endpoint. Using JavaScript, I measured the amount of time it takes to run an onload event. ”
From there, he was able to determine how long it took the service to perform a search query that yielded a zero result. When he performed a search that took any amount of time compared to the original level, he knew that Google Photo returns some kind of result. With a certain level of access, anyone can search your Google Photos account and use timing to find out which queries return a result.
A request for the names of countries or cities can tell the attacker that you were, for example, in Spain or New York. Including a date or a date range in a search sets up when, and adding names can show who you were with. Masas said that in order for a hacker to acquire this level of access, he would have to force the user to open a malicious website or go to a page with malicious JavaScript in a web ad when logging into Google Photos. Most likely, hackers will use a phishing scheme to lure the user.
')
Much of this information is searchable in your Google Photos account, and Masas has found a way to use third-party attack to use it. “After some trial and error, I discovered that the Google Photos search endpoint was vulnerable to attack,” he writes. “I used the HTML link tag to create multiple cross-queries for the Google Photo search endpoint. Using JavaScript, I measured the amount of time it takes to run an onload event. ”
From there, he was able to determine how long it took the service to perform a search query that yielded a zero result. When he performed a search that took any amount of time compared to the original level, he knew that Google Photo returns some kind of result. With a certain level of access, anyone can search your Google Photos account and use timing to find out which queries return a result.
A request for the names of countries or cities can tell the attacker that you were, for example, in Spain or New York. Including a date or a date range in a search sets up when, and adding names can show who you were with. Masas said that in order for a hacker to acquire this level of access, he would have to force the user to open a malicious website or go to a page with malicious JavaScript in a web ad when logging into Google Photos. Most likely, hackers will use a phishing scheme to lure the user.
Now about Android:
A press release from Positive Technologies states that the discovered vulnerability ( CVE-2019-5765 ) affects Android 4.4 and later versions, and WebView is to blame. On its developer site, Google explains that “WebView is useful when you need enhanced control over the user interface and advanced configuration options that will allow you to embed web pages in a specially designed environment for your application.”
Since WebView is part of the Chromium mechanism, Positive Technologies has stated that any Chromium-based browser is vulnerable. Google Chrome is more popular, but the Samsung browser, and the Yandex browser, and other browsers based on Chromium (that is, almost everything except FF?) Are also under threat.
Lee-Ann Galloway from Positive Technologies spoke about the attack: “The most obvious attack scenario includes little-known third-party applications. After an update containing a malicious payload, such applications can read information from a WebView. ” She said that attackers would gain access to the user's browser history, authentication tokens, headers, and more.
But there is also good news - the vulnerabilities have already been fixed:
Vulnerability in Google Photos has already been fixed. A simple update of the Chrome browser should eliminate any threat related to the WebView problem for users of Android 7.0 or later, since the bug was fixed in Chrome 72 (released in January). Users of earlier versions of Android will need to update WebView via Google Play.
Source: https://habr.com/ru/post/444702/
All Articles