Full Disclosure mailing list archives
AirDroid Lock Screen Bypass
From: Michael Wisniewski <wiz561 () gmail com>
Date: Thu, 15 May 2014 08:16:08 -0500
All, I'm running AirDroid v2.1.0 on CleanROM 8.1 Core Edition. On my phone (Galaxy S3), I have a pattern lock screen enabled. Vulnerability: When running AirDroid in the background and the phone locks, you can use a web browser to connect to the phone. On the phone, you get the usual pop-up box that asks you to accept/reject the request to connect. If you accept the connection request, the web browser will be granted full access to the phone, without having to unlock it! You can also configure AirDroid to not ask for confirmation. It's also unknown if it listens on the cell interface or just the wifi interface. Risk: The risk is that by running this program, a malicious user can have access to the phone without having to go through the screen unlock. Vendor Contact: I contacted AirDroid through their web page about two weeks ago and haven't heard any response from them yet. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- AirDroid Lock Screen Bypass Michael Wisniewski (May 15)
- Re: AirDroid Lock Screen Bypass Keith I Myers (May 15)