Full Disclosure mailing list archives
Re: Skype for Android Lockscreen Bypass
From: Pulser on XDA <pulser () xda-developers com>
Date: Tue, 2 Jul 2013 17:44:36 +0100
It appears that it is in some way device or firmware dependent (when tested on a Sony device, it happened on the Sony ROM, but not on CyanogenMod ROM). Unfortunately I'm not sure of the criteria that make this happen, but it seems a little difficult to reproduce right now on some devices. On Tue, Jul 2, 2013 at 5:07 PM, Ryan Dewhurst <ryandewhurst () gmail com>wrote:
Just a FYI. Have not been able to reproduce on: Galaxy Tab 2 10" Android 4.1.2 Skype 3.2.0.6673 (same as listed above) Screen Lock: Secured with pattern On Mon, Jul 1, 2013 at 10:46 PM, Pulser on XDA <pulser () xda-developers com>wrote:Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the "attacker" is able to call the "victim" on Skype. This can be reproduced as follows with 2 Skype accounts, and 2 separate devices to use with Skype. The target phone is presumed to have an Android lockscreen configured and in use, and to be locked during the test. 1. Initiate a Skype call to the target device, which will cause it to wake, ring, and display a prompt on the screen to answer or reject the call 2. Accept the call from the target device using the green answer button on the screen 3. End the call from the initiating device (ie. the device used to call the target phone) 4. The target device will end the call, and should display the lockscreen. 5. Turn off the screen of the target device using the power key, and turn it on again 6. The lockscreen will now be bypassed. It will remain bypassed until the device is rebooted Similar to (ironically enough): http://arstechnica.com/security/2013/04/crital-app-flaw-bypasses-screen-lock-on-up-to-100-million-android-phones/. Seems that internet based calling apps might well be "unlucky". Thanks to Emilio López for originally bringing this to my attention _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Skype for Android Lockscreen Bypass Pulser on XDA (Jul 01)
- Re: Skype for Android Lockscreen Bypass Ryan Dewhurst (Jul 03)
- Re: Skype for Android Lockscreen Bypass Pulser on XDA (Jul 02)
- Re: Skype for Android Lockscreen Bypass Ryan Dewhurst (Jul 03)