Full Disclosure mailing list archives
Google’s Android News and Weather App Doesn’t Always Use SSL [CVE-2017-9245]
From: Nightwatch Cybersecurity Research <research () nightwatchcybersecurity com>
Date: Tue, 18 Jul 2017 16:57:58 -0400
[Blog post here: https://wwws.nightwatchcybersecurity.com/2017/07/18/advisory-googles-android-news-and-weather-app-doesnt-always-use-ssl-cve-2017-9245/] SUMMARY Google News and Weather Application for Android does not use SSL for some server calls, exposing authentication tokens (OAuth) to anyone monitoring the network. It is not clear if the tokens belong to the user’s account or a service account. The vendor (Google) fixed the issue in v3.3.1 of the application and users should install the latest version. MITRE has assigned CVE-2017-9245 to track this issue. DETAILS The Google News and Weather application for Android is an application developed by Google which aggregates news from multiple sources. This application was originally included as part of the stock Android operating system but was separated into its own application around August 2014. While performing network level testing of various Google applications, we discovered that some of the calls made by the application to Google’s server did not use SSL. Furthermore, analysis of the captured traffic showed that an authentication token (OAuth) was sent as part of those calls, thus exposing it to an attacker that is monitoring the network. It is not clear from our testing whether this token belonged to the user using the application, or was some sort of a service account. We also did not test earlier versions of the application, so it is also unclear whether this issue affects older versions of Android where this is part of the stock operating system. To replicate the issue on v3.1.4: 1. Install the application and open it. 2. Flick away the application. 3. Setup the proxy without an SSL certificate and point the Android device to it. 4. Go back to the application and select any news feed, and then click on a news article from a site that doesn’t use SSL. 5. Go back to the proxy and observe captured traffic. All testing was done on Android 7 and application v3.1.4. Network captures were performed using an on-device proxy (PacketCapture) without a trusted SSL certificate. VENDOR RESPONSE This issue was responsibly reported to the vendor and fixed in version 3.3.1 which was released in late June 2017. It is not clear if older versions of Android that include this as part of the OS are affected and/or fixable. REFERENCES CVE ID: CVE-2017-9245 BOUNTY INFORMATION This bug satisfied the rules of the Google Vulnerability Reward Program (VRP) program and a bounty was paid. CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-05-11: Initial report to the vendor 2017-05-11: Report triaged by the vendor and bug filed 2017-05-26: Bounty decision received from vendor 2017-06-29: Fixed version released by the vendor 2017-07-12: Fixed version tested to confirm the fix 2017-07-12: Draft advisory sent to vendor for comment 2017-07-18: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Google’s Android News and Weather App Doesn’t Always Use SSL [CVE-2017-9245] Nightwatch Cybersecurity Research (Jul 20)