A Tim Hortons app has been flagged for managing to violate Canada's privacy laws. We offer some advice to avoid becoming tangled in app woes.
The post Coffee app in hot water for constant tracking of user location appeared first on Malwarebytes Labs.

A mobile app violated Canada’s privacy laws via some pretty significant overreach with its tracking of device owners. The violation will apparently not bring the app owners, Tim Hortons, any form of punishment. However, the fallout from this incident may hopefully serve as a warning to others with an app soon to launch. That’s _one_ theory, anyway. In reality, this level of data collection is not as uncommon as is being suggested.

**The app collects _how much_ data?**

It all begins in June 2020, when a reporter finds the Tim Hortons app is going above and beyond what one would expect as a reasonable level of tracking. Despite an FAQ claiming tracking only takes place “with the app open”, reporter James McCleod submits a request under Canada’s Personal Information protection and Electronic Documents Act. He discovers the app has recorded his longitude and latitude coordinates “more than 2,700 times in less than five months”, and not just when the app was in use.

In fact, he’d never have known this level of tracking was taking place save for a notification saying the app had collected his location. The twist: he hadn’t used the app in hours. This one tiny mobile notification quickly snowballed into the story we have today.

The notification was due to an Android system update giving users the option to limit an app’s access to location information. When people and organisations say it’s a good idea to update your device, this story is a perfect example of why that is.

**How can apps collect data?**

We’ve previously covered Bluetooth beacons and geofencing on this site. These are a staple diet of Out of Home (OOH) advertising. If you’re unfamiliar with how this technology typically operates, here’s a brief rundown:

1.  You enable Bluetooth on your phone. It’s not a major battery drain and becoming more useful to mobile users than ever before so this isn’t a hassle for most people.
2.  Stores you enter may have a Bluetooth beacon which fires out a rapid pulse signal. If you have an app for the store you’re in and have granted it permission to interact, this is where the fun begins. The store can track your movements, and figure out which items you hovered in front of and which you ignored completely. The store can then offer discounts, flash sales, and even optimal item placement based on this data.
3.  Geofencing will help get you to the store in the first place. With app and permissions enabled, you may well have adverts sent directly to your phone when driving. You may even experience digital billboard Geofence marketing.

**It’s not just about coffee**

The biggest concern here for McCleod wasn’t that the app was tracking him on coffee runs. That was expected behaviour. What really stood out was the kind of deep-dive data collection that was generating “events” everywhere he went and building up a picture of his daily life.

> The Tim Hortons app used location data to infer where users lived, worked, and whether they were travelling. It generated an “event” every time users entered and left their homes, entered and exited their office, or travelled. https://t.co/ZvPJnTx8CT pic.twitter.com/yx1q8dqQtH
> 
> — OPC (@PrivacyPrivee) June 1, 2022

The app, which made use of Geofencing platform Radar, flagged trips in and out of the home. It tried to distinguish between home and office. There was even an event fired for walking past a KFC in Morocco. In fact, the app seemed to spring into life any time McCleod walked past a rival business. McDonald’s, Starbucks, A&W, and more all triggered events.

A spokesperson for Tim Hortons said this was to “tailor marketing and promotional offers” inside the app, and that no data was shared with the other companies. This wouldn’t be enough to avert some pretty serious conclusions made from the app investigation.

**The investigation findings**

Tim Hortons stopped continuous tracking in 2020 after Government investigations began, but there were still concerns over the data collected. Tim Hortons’ contract with a third-party location services supplier allowed for the possibility of selling “de-identified” data. De-anonymisation is a big problem.

Despite explanations from Tim Hortons, the investigation concluded that

> _“…continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”_

It also found the app continued collecting large amounts of location data for a year after deciding against using it for targeted data, despite there being no need to do so. The four privacy authorities involved recommended Tim Hortons:

*   Delete any remaining location data and direct third-party service providers to do the same;
*   Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
*   Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed.

The full findings on this case can be seen in the report here.

**Climbing under the fences: Tips for avoiding tracking**

There are several ways to avoid or opt-out from tracking which you may feel is overly invasive.

1.  **Keep your mobile device up to date**. It’s the difference between having basic “on/off” privacy settings or waking up to find you have multiple granular controls for all aspects of app use.
2.  **Not using Bluetooth? Turn it off**. You won’t enjoy a massive battery bump, but you will go some way towards staying below the beacon radar.
3.  **Think carefully about agreeing to GPS permissions for apps**. It’s as specific a way to track your movements as can be, and some apps/services save this data online for you to view at a later date. This isn’t great if the service or account is compromised, so always ensure there’s an option to delete historical data. Depending on mobile device or OS, you may have very basic location options or several options tied to different services. It’s well worth taking some time to see what’s in there.
4.  **Introduce some security to your mobile ecosystem**. Mobile ad blockers, privacy and anonymity tools will all help with regard prevention of advertising profiles tied to your real world location and identity. It may not just be the app, but the other sites, services, and ad networks it plugs into which you have to consider.
5.  **Always read the EULA**. It’s a pain, but it’s really worth checking out the privacy policies and EULAs of the apps you use. See how they share data, how long information is stored for, and which advertising networks the apps partner with. Of course, this may have limited use considering portions of the Tim Hortons app FAQ were incorrect but it’s a good way to get up to speed on an app more broadly.

Coffee app in hot water for constant tracking of user location

An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday.
SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue.
The action

An illicit online marketplace known as **SSNDOB** was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday.

SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue.

The action saw the seizure of several domains associated with the marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz — in cooperation with authorities from Cyprus and Latvia.

According to blockchain analytics firm Chainalysis, SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015.

Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and Joker's Stash, another darknet market that specialized in stolen credit card information and voluntarily closed shop in January 2021, indicating a close relationship between the two criminal storefronts.

"The SSNDOB administrators created advertisements on dark web criminal forums for the Marketplace's services, provided customer support functions, and regularly monitored the activities of the sites, including monitoring when purchasers deposited money into their accounts," the DoJ said in a statement.

Additionally, the cybercriminal actors are said to have employed tactics to conceal their true identities, including using anonymous online profiles, maintaining servers in different countries, and requiring potential buyers to use cryptocurrencies.

"Identity theft can have a devastating impact on a victim's long-term emotional and financial health," said Darrell Waldon, special agent in charge of IRS-CI Washington, D.C. Field Office. "Taking down the SSNDOB website disrupted ID theft criminals and helped millions of Americans whose personal information was compromised."

The takedown marks the continued ramping up of efforts on the part of law enforcement agencies across the world to disrupt malicious cyber activity.

Last week, Europol publicized the shut down of FluBot Android banking trojan, while the Justice Department said it seized three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.

Earlier this year, the Federal Bureau of Investigation (FBI) also neutralized a modular botnet dubbed Cyclops Blink as well as dismantled RaidForums, a hacking forum notorious for selling access to hacked personal information belonging to users.

In a related development, the U.S. Treasury Department also sanctioned Hydra after German law enforcement authorities disrupted the world's largest and longest-running dark web marketplace in April 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

FBI Seizes 'SSNDOB' ID Theft Service for Selling Personal Info of 24 Million People

A vulnerability was found in Klapp App and classified as problematic. This issue affects some unknown processing of the JSON Web Token Handler. The manipulation leads to weak authentication. The attack may be initiated remotely.

**Knapp daneben ist auch vorbei**

Wir als modzero sehen seit einem Jahrzehnt Sicherheitsschwachstellen und Datenschutzvergehen in verschiedensten Variationen. Unabhängig von der Art oder Komplexität einer Schwachstelle sehen wir sehr oft einen wenig risikobewussten Umgang mit Daten und Ressourcen. Wir schreiben das Jahr 2020, und noch immer werden Applikationen mit der heissen Nadel gestrickt. Time-to-Market hat eine so hohe Priorität, dass nicht einmal grundlegende Sicherheitsprinzipien in die Lösungsarchitektur oder das individuelle Applikationsdesign einfliessen. Man findet an jeder Ecke Applikationen und Datenverarbeitungssysteme, die schlecht, d.h. unsicher, mit den ihnen anvertrauten Daten umgehen. Dies ist umso gravierender, wenn es sich um personenbezogene Daten oder gar Gesundheitsdaten handelt.

In unserem Artikel Mit Webapps gegen COVID-19 wollten wir darauf aufmerksam machen, dass jeder eine Verantwortung hat, dass Software angemessen sicher wird. Heute möchten wir dieses Thema mit einem weiteren Beispiel erneut aufgreifen. Die anhaltende Corona-Pandemie eröffnet neue Herausforderungen aber auch Möglichkeiten bei der Digitalisierung und der Datenverarbeitung. In allen Bereichen sucht man nach Lösungen, und spätestens während des totalen Lockdowns haben auch Schulen festgestellt, dass sie noch Nachholbedarf im digitalen Bereich haben. Es wurde alles eingesetzt was verfügbar war: Zoom, Teams, WhatsApp, Facebook Messenger. In der Schweiz wurde bereits vor drei Jahren eine schweizerische Plattform namens Klapp ins Leben gerufen, welche insbesondere die Kommunikation zwischen Eltern und Schule und Lehrpersonen vereinfachen soll. _Einfache Kommunikation, die klappt!"_, so der Slogan des Unternehmens. Zu Zeiten von Corona hat diese Plattform einen massiven Nutzer-Zuwachs erhalten. Unter den Nutzern ist auch eine unserer MitarbeiterInnen.

**Wie funktioniert Klapp?**

Bei Klapp handelt es sich um ein schweizerisches Start-Up mit dem Sitz in Fislisbach (AG). Zum Zeitpunkt der Veröffentlichung gibt das Unternehmen an mehr als 200 Schulen, 8'600 Lehrpersonen und 45'000 Eltern eine Plattform zur Kommunikation zu bieten. Hier werden gemäss seinen Angaben täglich rund 3'000 individuelle Nachrichten versendet. (siehe hierzu Angaben durch Klapp) Die Daten werden ausschliesslich in der Schweiz gespeichert. Neben der Benutzung im Browser kann die App kann auch mit dem Smartphone (iOS und Android) genutzt werden.

Aus technischer Sicht ist Klapp eine cordova-basierte Web- und Mobile-App. Zur Registrierung als Elternteil oder Schüler benötigt man einen sogenannten Autorisierungs-Code. Nach erfolgreicher Registrierung ist der Zugriff auf die jeweilige Klasse und die damit verbundenen Funktionalitäten möglich. Während der Kurzanalyse wurden folgende Haupt-Funktionen als angemeldetes Elternteil identifiziert:

*   Gruppen und individual Chats
*   Versand von Dateien zwischen Kommunikationspartnern
*   Kalenderfunktionen
*   Informationen über die Klassenmitglieder
*   Namen der Kinder und registrierte Eltern
*   E-Mail-Adressen und Rufnummern (wenn freigegeben)

Damit Schulen die Klapp-Plattform nutzen können, wird zunächst ein Ex- und Import von Stammdaten vorgenommen. Zu diesem notwendigen Ex- und Import Prozess hat Klapp diverse Anleitungen veröffentlicht. Nach erfolgreichem Daten-Import können die Lehrpersonen Einladungsschreiben für die Eltern generieren. Diese enthalten Informationen über Klapp und sind personalisiert. Jedes dieser Einladungsschreiben hat nämlich zusätzlich den Namen des Kindes und einen Autorisierungs-Code für die Eltern aufgedruckt.

Beispielhaftes Einladungsschreiben mit Autorisierungs-Code und Vor- Nachname des Kindes

Dieser Autorisierungs-Code wird bei der Registration benötigt. Hiermit autorisiert sich die Anwenderin als Elternteil eines bestimmten Kindes. Der Autorisierungscode stellt somit das eindeutige Merkmal dar, um die betreffende Person zu identifizieren.

Registrierungs Ansicht in der iOS-App

Der Autorisierungs-Code hat das folgende Format: P-ABCDE1. Das Präfix _"P-"_ steht für _"Parent"_, Autorisierungs-Codes von Schülerinnen haben das Präfix _"S-"_, was für _"Student"_ steht. Die darauffolgenden Werte sind sechs alphanumerische Zeichen, Das bedeutet, dass es maximal 2.17 Milliarden mögliche _"Parent"_ oder _"Student"_ Codes gibt - Bei einer Anfrage pro Sekunde an den Klapp-Server benötigt man 3,7 Wochen um alle möglichen Autorisierungs-Codes zu erraten. Geht man von aktuell 45'000 verfügbaren Autorisierungs-Codes aus, trifft man mit einer Warscheinlichkeit von 52.49%, bei der selben Anfragerate, nach 10 Stunden mindestens einen gültigen Autorisierungs-Code. Würde man den möglichen Raum von Zeichen um Kleinbuchstaben und die Länge des Autorisierungs-Codes auf 10 erweitern, so bräuchte man, bei der angenommenen Anzahl an Anfragen pro Sekunde, 16 Millionen Jahre um alle durchzuprobieren. Die Annahme, dass nur eine Anfrage pro Sekunde möglich ist gilt als sehr konservativ, nicht selten können aktuelle Webserver bis zu 1000 Anfragen/Sekunde abarbeiten.

**Wie steht es bei Klapp um den Datenschutz?**

Die Daten der Applikation (Nachrichten, Chats und Bilder) werden zwar über einen _verschlüsselten Kanal_ auf den Klapp-Server übertragen, werden auf dem Server aber _unverschlüsselt gespeichert_. Das heisst, dass mindestens der Betreiber und alle Involvierten, welche die Daten prozessieren, Informationen mitlesen und manipulieren könnten. Im Falle eines Klassenverbundes heisst das im einfachsten Fall, dass die Klapp GmbH sowie die Dienstleister für den Nachrichtenversand über die registrierten Kinder und Eltern sowie Klassengruppierungen und die versendeten Informationen Bescheid wissen. Werden sensible Informationen wie Krankheiten oder vielleicht Kritik- oder Entwicklungspunkte der Kinder zwischen Personen ausgetauscht, sind diese nicht umfassend gesichert und es ist nicht ersichtlich ob man mit dem legitimen Kommunikationspartner Daten austauscht.

In Ihrer Datenschutzerklärung verspricht die Klapp GmbH:

> "Wir geben keine Personendaten an Dritte weiter und erzielen auch keinen kommerziellen Nutzen daraus. Ihre Personendaten, die Sie uns zur Verfügung stellen, werden von uns weder verkauft, vermietet noch gehandelt".

Weiter schreibt die Klapp GmbH:

> "Ihre Daten speichern wir in der Schweiz. Benutzerdaten werden in der Schweiz gespeichert und verarbeitet und unsere Partner halten die schweizerischen und europäischen Datenschutzverordnung ein".

Und _"Privacy by Design"_ wird ebenfalls als Merkmal benannt. Die Aussage _"Wir wollen mit Ihren Daten kein Geld verdienen. Ihre Benutzerdaten werden unter keinen Umständen an Dritte verkauft oder für Werbung verwendet."_ wirkt vertrauenserweckend.

Auch die Schulen scheinen von der Lösung und deren Sicherheit überzeugt. Auf Anfrage, warum Vor- und Familienname an Dritte ohne Zustimmung mitgeteilt werde teilte eine Schule mit:

> "Die Firma Klapp hat nach der Registrierung nur Name und Vorname plus Schule Ihres Kindes. Diese gehören nach meinem Wissen nicht zu den besonders schützenswerten Daten. Es ist uns aber bewusst, dass ein sorgfältiger Umgang mit Daten zentral ist. Daher haben wir uns bei der App auch für die Firma Klapp entschieden, die einen hohen Standard bei der Datensicherheit garantiert".

Bei einer technischen Betrachtung zeigt sich ein anderes Bild. Klapp verwendet beispielsweise für die Übermittlung der Daten Push-Nachrichten, welche über den US-Amerikanischen Dienst OneSignal versendet werden. Hier werden neben dem Vor- und Familiennamen des Absenders und der Betreff der Nachricht auch weitere Metainformationen über das verwendete Gerät und das Betriebssystem und des Netzwerkbetreibers gesammelt.

Push-Benachrichtigung enthält Informationen über den Absender sowie Betreff der Nachricht

POST /players/8a77f111-c146-402b-88f3-18d874c19872/on\_session HTTP/1.1
Host: api.onesignal.com
Content-Type: application/json
Cookie: \_\_cfduid=dd2b3c2801e2179392b0232eac71bf6bf1597813825
Connection: close
If-None-Match: W/"698f061ae145e46b912b7e8e00450320"
Accept: application/vnd.onesignal.v1+json
SDK-Version: onesignal/ios/021402
Accept-Language: de-ch
Content-Length: 434
Accept-Encoding: gzip, deflate
User-Agent: Klapp/2.0.1 CFNetwork/1126 Darwin/19.5.0

{
  "app\_id" : "bb3877cc-afc0-4d81-ac73-9339554c7686",
  "net\_type" : 0,
  "device\_type" : 0,
  "sdk" : "021402",
  "identifier" : "b5c9f6956a9606a93f564ac0677342ffafd9540b6c34ba170da574fd3f77dc08",
  "language" : "de-CH",
  "device\_os" : "13.5.1",
  "game\_version" : "2.0.1",
  "timezone" : 7200,
  "ad\_id" : "CF7A0B86-311E-4EF7-A469-F7A5322B206A",
  "notification\_types" : 31,
  "carrier" : "Salt",
  "device\_model" : "iPhone11,2"
}

Bei dem Versand via E-Mail verwendet Klapp den Dienstleister Mailgun - ebenfalls ein US-Unternehmen (siehe Datenschutzerklärung). Im Gegensatz zu den Push-Nachrichten beinhalten die E-Mail-Nachrichten auch die versendete Information, sowie Hyperlinks zu den allenfalls angehängten Dokumenten. Was bedeutet, dass neben Klapp auch Mailgun in der Lage ist, sämtliche E-Mail-Inhalte zu lesen oder zu manipulieren. Ob diese Firmen sich der hiesigen Gesetzeslage und Richtlinien unterwerfen, ist für uns aktuell nicht prüfbar. Wir möchten aber auch darauf hinweisen, dass die Daten auch ungewollt als Folge eines Erpressungsversuches oder eines Hacker-Angriffes bei dem Dienstleister geleakt werden könne .

E-Mail erhalten über _Mailgun_ enthält den genauen Text sowie Links zu den angehängten Dateien

Wir geben der Firma Klapp recht. Privacy by Design ist wichtig... und zwar genau aus dem Grund, dass niemand unautorisiertes Drittes unsere Daten einsehen können sollte. Genau deshalb sollte konsequent Ende-zu-Ende-Verschlüsselung eingesetzt werden, wie es zum Beispiel im Leitfaden des Datenschutzbeauftragten des Kantons Zürich empfohlen wird. Deshalb werden Instant-Messengers wie Signal oder Threema von vielen bevorzugt, da der Transportweg sowie jede Zwischenspeicherung verschlüsselt ist und erst am eigentlichen Endgerät entschlüsselt werden kann.

Nachdem wir uns dem Datenschutzversprechen der Firma Klapp GmbH und dem Thema Datenschutz gewidmet haben, möchten wir auf einige der technischen Unzulänglichkeiten eingehen. Viele der identifizierten Fehlerklassen sind trivial und bekannt. Auch wenn die Auswirkungen bei dieser Applikation möglicherweise gering ausfallen, möchten wir diese aufführen, weil wir diese immer wieder sehen.

**Und wie steht es um die Informationssicherheit?**

Datenschutz und Informationssicherheit sind eng miteinander verbunden und das Befolgen von Sicherheitsempfehlung wichtig, um den Datenschutz überhaupt zu Implementieren. Eine oberflächliche Betrachtung der Plattform hat gezeigt, dass grundlegende Sicherheitsprinzipien der Informationstechnik sowie der sicheren Entwicklung für mobile Anwendungen nicht befolgt wurden. Dies ist leider auch im Jahr 2020 immer noch häufig anzutreffen. Gerade in frühen Projektphasen ist die Erarbeitung von Bedrohungsmodellen und das Definieren von Sicherheitsanforderungen ein Kernpunkt, um später beim Lösungsdesign sowie der eigentlichen Entwicklung die richtigen Massnahmen und Methoden zu ergreifen. Gerade die gefundenen Trivialfehlerklassen zeigen, dass Datenschutz und Sicherheit während der Entwicklung der Plattform keine Schwerpunktthemen waren.

Während der Nutzung der Applikation konnte beobachtet werden, dass nicht nur der eigene Autorisierungs-Code vom Klapp-Server übermittelt wird, sondern auch die Autorisierungs-Codes, welche es den anderen Eltern ermöglichen sich eindeutig zu identifizieren.

Auszug aus der Server-Antwort. Zu sehen ist ein JSON-Objekt mit Informationen zu Kindern und Eltern. Ausserdem sind die Autorisierungs-Codes der Eltern enthalten.

Das bedeutet, dass jeder Empfänger das eindeutige Identifizierungsmerkmal aller Klassenteilnehmer besitzt und deren Identität übernehmen kann. Die Auswirkung eines Missbrauchs erscheint vielleicht aktuell nicht weiter schlimm bei einer solchen Verwendung. Soziales Schadenspotenzial ist auf jeden Fall vorhanden und Vertrauensmissbrauch ist möglich. Wichtig ist jedoch zu verstehen, dass eine zukünftige Funktionserweiterung der Plattform noch andere betrügerische Aktivitäten ermöglichen könnte, die heute vielleicht noch nicht absehbar sind. Hätte Klapp eine Implementierung nach den eigens aufgestellten Prinzipien der Datensparsamkeit und Need-to-Know Basis gewählt, wäre dieser Fehler gar nicht aufgetreten. Diese Schwachstelle wurde umgehend dem Klapp-Team gemeldet und Sie wurde am Abend des 24. August 2020 durch ein serverseitiges Update behoben. Daraufhin hat das Klapp-Team auch eine interne Nachricht an die BenutzerInnen versendet in der zu einer manuellen Überprüfung der registrierten Elternteile aufgerufen wird.

In-App Benachrichtigung des Klapp-Teams nachdem die Autorisierungs-Code-Leck Schwachstelle behoben wurde.

Ebenfalls ein Klassiker unter den trivialen Fehlern in Applikationen ist eine Vertrauensstellung durch sehr langlebige Authentisierungsmerkmale. Im Falle der Klapp-Applikation sind es JSON-Web-Token ohne Ablaufzeitpunkt. Jeder, der in den Besitz eines solchen Tokens gelangt, kann ohne zusätzliche Merkmale wie Benutzername oder Passwort andere Nutzer imitieren und hat somit automatische die Identität und Berechtigungen des legitimen Eigentümers. Bei der Klapp-Applikation werden diese Tokens auf dem Endgerät ohne zusätzliche Schutzmassnahmen abgelegt und gelangen so auch auf Backup-Datenträger oder Cloud-Dienste. Auch hier möchten wir darauf hinweisen, dass die Auswirkungen zum Glück in dem heutigen Anwendungsfall moderat ausfallen. Bekannte Schwachstellen zu implementieren ist auf jeden Fall eine schlechte Praxis, auch wenn sie aktuell wenig Relevanz haben.

Unsterblicher JSON-Web-Token da kein Ablaufzeitpunkt (_exp_ angegeben ist.)

Die SQLite Datenbank ist nicht verschlüsselt. Auch die darin enthaltenen Informationen sind nicht durch die App verschlüsselt.

Die SQLite Datenbank befindet sich in einem Geräte Backup.

Der Versand von individual Nachrichten an Lehrer ist eine von der Plattform vorgesehene Funktionalität. Wählt man "Neue Nachricht" aus so erscheint eine Auflistung der Lehrer, welche zum Empfang von Nachrichten autorisiert sind. Jeder Lehrer hat in der Plattform eine eindeutige Benutzerkennung, Beispielsweise 5f3bf6370452c910612c71be. Diese wird beim Versand der Nachricht angegeben. Eine solche Benutzerkennung haben auch Eltern und Schüler. Tauscht man die Benutzerkennung des Lehrers mit der eines anderen Elternteils aus, so wird die Nachricht an den gewünschten Empfänger übermittelt.

In-App Nachricht an ein anderes Elternteil versendet.

Soweit modzero bekannt, ist dies keine vorgesehene Funktionalität. Auch hier müssen wir erneut darauf verweisen, dass solche Fehlerklassen üblich sind. Nur weil eine Benutzeroberfläche eine Einschränkung vorsieht, muss diese von der Applikation nicht zwingend umgesetzt worden sein. Eine Einschränkung in der Benutzeroberfläche ersetzt nicht ein striktes Umsetzen eines ordentlichen Benutzer- und Rollenkonzeptes auch im Backend.

Beiläufig sind noch weitere Probleme aufgefallen, welche hier nicht im Detail beschrieben werden, aber auch mit dem Klapp-Team besprochen wurden:

*   Sensible Informationen in lokaler SQLite-Datenbank (iOS)
*   SQLite Datenbank (iOS) in einem Backup vorhanden
*   Fehlendes Zertifikats-Pinning und Jailbreak-Erkennung
*   Keine Möglichkeit den Zugriff auf die App durch Pass Code oder biometrische Merkmale zu beschränken
**Fazit**

Dies soll kein Aufruf zur Verhinderung von Innovation oder Digitalisierung sein, jedoch bitten wir jeden einzelnen Entwickler, Architekt, CEO... JEDEN Involvierten... seine Verantwortung wahrzunehmen und im Zweifelsfall jemanden hinzuzuziehen, der die Sachlage neutral beurteilen kann.

Natürlich kann in diesem Beispiel argumentiert werden, dass die Auswirkungen der Schwachstellen ja überschaubar sind und die Schutzmassnahmen für das Anwendungsgebiet möglicherweise ausreichen. Das Problem einer solchen Argumentation liegt dabei, dass sich die Umgebung, der Funktionsumfang, die Entwicklungsprozesse sowie die Firmen selbst zukünftig wandeln werden. Selbst wenn zum jetzigen Zeitpunkt ein Unternehmen ehrbare Ziele verfolgt oder eine Applikationsschwachstelle nur eine verhältnismässig geringe Auswirkung aufweist, so kann sich dies schon Morgen ändern. Es ist daher wichtig bereits früh in der Projektphase die richtigen Entscheidungen zu treffen und Fehlfunktionen, Schwachstellen und Bedrohungsmodelle als integral wichtigen Bestandteil zu behandeln.

**Zeitlicher Ablauf***   2020-08-18  Einladungsschreiben der Schule erhalten.
*   2020-08-18  Schwachstellen aufgedeckt.
*   2020-08-19  Klapp kontaktiert. Klapp hat sich zurückgemeldet.
*   2020-08-21  Schwachstellen telefonisch an Klapp übermittelt. Schwachstellen akzeptiert.
*   2020-08-24  Rückmeldung von Klapp erhalten, dass die Autorisierungs-Code Schwachstelle behoben wurde

CVE-2020-36533: Knapp daneben ist auch vorbei

A vulnerability, which was classified as critical, was found in Platinum Mobile 1.0.4.850. Affected is /MobileHandler.ashx which leads to broken access control. The attack requires authentication. Upgrading to version 1.0.4.851 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Fri, 2 Oct 2020 18:17:48 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20201001-0 >
=======================================================================
              title: Broken Access Control
            product: Platinum Mobile
 vulnerable version: 1.0.4.850
      fixed version: 1.0.4.851
         CVE number: -
             impact: critical
           homepage: https://www.platinumchina.com/en/products/p11
              found: 2020-04-24
                 by: M. Li (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Platinum Mobile is a mobile office system based on Platinum HRM and ESS
Workflow to realize HR informatization management, taking portable devices
such as mobile phone, tablet pc as its main form and carrier. The new mobile
solution will enable employees quickly and conveniently deal with affairs and
not limited by time and place, thus effectively expedite the efficiency of
internal communication and operations. Users can directly use their mobile
devices landing on the client side to complete a series of tasks. Meanwhile,
the executive have the access to making decisions and approvals anytime and
anywhere."

Source: https://www.platinumchina.com/en/products/p11

Business recommendation:
------------------------
It is recommended to apply the hotfix or update the server component to version
1.0.4.851.


Vulnerability overview/description:
-----------------------------------
1) Broken access control
The mobile application connects to the company-specific server, which does
not properly restrict the access to confidential data. Thus, an authenticated
attacker can disclose the company's payroll, personal information of other
employees without having appropriate privileges to do so.


Proof of concept:
-----------------
1) Broken access control
The mobile application's request consists primarily of two parts: an XML message
in the body and its MD5 hash in the query string.

POST /MobileHandler.ashx?MessageHash=43a98be456b0213ce45e23fdf54c58b8 HTTP/1.1
Host: \[redacted\]
Content-Length: 276

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="Payslip" Method="getMyPayslipMonthInfoForReleaseMany" 
Language="English" UserCode="user0" TokenID=""><Parameters><String>0000000537</String><DateTime>2020-03-31 
00:00:00</DateTime><null/></Parameters></Message>

Analyzing the mobile application reveals the following algorithm to
calculate the hash:

MessageHash = hex\_md5(escape(XmlMsg) + TokenID);

Furthermore, the server-side part of the application runs the following logic
to verify the message:
- extract the "UserCode" value from the message
- look up the "TokenID" associated with the "UserCode"
- calculate and compare the hash
- if valid, trust and use the parameters in the message, which serves as
  the real reference (rather than the "UserCode") to the business data.

Given this information, an authenticated attacker can craft a message with
an arbitrary value set (e.g. 0000000537) for the element "Parameters" and
calculate the hash with the attacker's "UserCode" and "TokenID".

As a consequence, the pay slip of another employee (e.g. a higher-ranked
manager) can be disclosed. By iterating the values, the attacker can
reveal the entire payroll data of the whole company.

In the following example an authenticated user "user0" can collect
personal information of "user1", including phone number, emails etc.

POST /platinummobile/Handlers/MobileHandler.ashx?MessageHash=bf62c16cad7a6b27b0fee8e1a21409b7 HTTP/1.1
Host: \[redacted\]
Content-Length: 203

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="MyAccount" Method="GetMyInfo" Language="English" 
UserCode="user0" TokenID=""><Parameters><String>user1</String></Parameters></Message>


Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent one at the
time of the test:
- 1.0.4.864 on Android
- 1.0.4.864 on iOS
- 1.0.4.850 on Server


Vendor contact timeline:
------------------------
2020-05-19: Contact vendor through the provided email address.
2020-05-20: Exchange on the issue.
2020-05-22: Vendor acknowledged the issue, and claimed a hotfix will be released
            before a fix in the next version.
2020-07-22: Contact the vendor again.
2020-07-23: Vendor informed that a hotfix has been released.
2020-08-19: Customer confirmed that the hotfix works.
2020-10-01: Release of the advisory.


Solution:
---------
Apply the hotfix or update the application to the latest version 1.0.4.851.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF M. Li / @2020

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile** _SEC Consult Vulnerability Lab (Oct 02)_

CVE-2020-36528: Broken Access Control in Platinum Mobile

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will _actually_ be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” ​​Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Apple Just Killed the Password—for Real This Time

In WIFI Firmware, there is a possible memory corruption due to a use after free. This could lead to remote escalation of privilege, when devices are connecting to the attacker-controllable Wi-Fi hotspot, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06468872; Issue ID: ALPS06468872.

**June 2022 Product Security Bulletin**

Published 2022-06-06

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-21745

Medium

CVE-2022-21746, CVE-2022-21747, CVE-2022-21748, CVE-2022-21749, CVE-2022-21750, CVE-2022-21751, CVE-2022-21752, CVE-2022-21753, CVE-2022-21754, CVE-2022-21755, CVE-2022-21756, CVE-2022-21757, CVE-2022-21758, CVE-2022-21759, CVE-2022-21760, CVE-2022-21761, CVE-2022-21762

****Details****

CVE

**CVE-2022-21745**

Title

Use after free in WIFI Firmware

Severity

High

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In WIFI Firmware, there is a possible memory corruption due to a use after free. This could lead to remote escalation of privilege, when devices are connecting to the attacker-controllable Wi-Fi hotspot, with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-21746**

Title

Improper input validation in imgsensor

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In imgsensor, there is a possible out of bounds read due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6885, MT6893, MT8167, MT8167S, MT8168, MT8175, MT8362A, MT8365, MT8788

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-21747**

Title

Improper input validation in imgsensor

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-20 Improper Input Validation

Description

In imgsensor, there is a possible out of bounds read due to a missing bounds check. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6885, MT6893, MT8167, MT8167S, MT8168, MT8173, MT8362A, MT8365, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-21748**

Title

Improper access control in telephony

Severity

Medium

Vulnerability Type

ID

CWE

CWE-284 Improper Access Control

Description

In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21749**

Title

Improper access control in telephony

Severity

Medium

Vulnerability Type

ID

CWE

CWE-284 Improper Access Control

Description

In telephony, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8321, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21750**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6779, MT6781, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21751**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0

CVE

**CVE-2022-21752**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21753**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21754**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6765, MT6768, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21755**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21756**

Title

Improper input validation in WLAN driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In WLAN driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8695, MT8696, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21757**

Title

Uncontrolled resource consumption in WIFI Firmware

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-400 Uncontrolled Resource Consumption

Description

In WIFI Firmware, there is a possible system crash due to a missing count check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6877, MT6885, MT6889, MT6983, MT6985, MT8167S, MT8168, MT8175, MT8183, MT8185, MT8362A, MT8365, MT8385, MT8667, MT8675, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21758**

Title

Double free in ccu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-415 Double Free

Description

In ccu, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21759**

Title

Buffer copy without checking size of input ('classic buffer overflow') in power service

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

In power service, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6885, MT6891, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21760**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 12.0

CVE

**CVE-2022-21761**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 11.0

CVE

**CVE-2022-21762**

Title

Integer overflow or wraparound in apusys driver

Severity

Medium

Vulnerability Type

DoS

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys driver, there is a possible system crash due to an integer overflow. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT9636, MT9638, MT9666

Affected Software Versions

Android 12.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

June 6, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-21745: June 2022

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.
Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times.

Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace.

Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27).

"TeaBot is targeting 410 of the 639 applications tracked," mobile security company Zimperium said in a new analysis of Android threats during the first half of 2022. "Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft."

Aside from TeaBot (Anatsa) and Octo (Exobot), other prominent banking trojans include BianLian, Coper, EventBot, FluBot (Cabassous), Medusa, SharkBot, and Xenomorph.

FluBot is also considered to be an aggressive variant of Cabassous, not to mention hitching its distribution wagon to serve Medusa, another mobile banking trojan that can gain near-complete control over a user's device. Last week, Europol announced the dismantling of infrastructure behind FluBot.

These malicious remote access tools, while hiding behind the cloak of benign-looking apps, are designed to target mobile financial applications in an attempt to carry out on-device fraud and siphon funds directly from the victim's accounts.

In addition, the rogue apps are equipped with the ability to evade detection by often hiding their icons from the home screen and are known to log keystrokes, capture clipboard data, and abuse accessibility services permissions to pursue their objectives such as credential theft.

This involves the use of overlay attacks, pointing a victim to a fake banking login page that's displayed atop legitimate financial apps and can be used to steal the credentials entered.

Consequences of such attacks can range from data theft and financial fraud to regulatory fines and loss of customer trust.

"In the past decade, the financial industry moved completely to mobile for its banking and payments service and stock trading," the researchers said. "While this transition brings increased convenience and new options to consumers, it also introduces novel fraud risks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

10 Most Prolific Banking Trojans Targeting Hundreds of Financial Apps with Over a Billion Users

User data related to at least 500,000 Android accounts at risk

User data related to at least 500,000 Android accounts at risk

A chained, zero-day exploit could potentially expose all user data in the backend of the companion mobile application for a popular smart weight scale, security researchers have claimed.

Bogdan Tiron, managing partner at UK infosec firm Fortbridge, discovered five vulnerabilities in the Yunmai Smart Scale app, three of which he said could be combined to take over accounts and access user details such as name, gender, age, height, family relationship, and profile photo.

As of May 12, China-based IoT product vendor Zhuhai Yunmai Technology had apparently implemented a fix for only one of the flaws – and even then, Tiron said he managed to bypass the patch.

The flaws were discovered during a penetration test of the Yunmai Android and iOS apps.

**Tipping the scales**

The Yunmai Smart Scale and app allows users to record and track their weight, body-mass index (BMI), body fat percentage, visceral fat, and various other health indicators.

The Android application alone has been downloaded more than 500,000 times.

The chained exploit first involves abusing a enumeration flaw by brute-forcing s into leaking parent uid (‘’) account values. values are then used to add child (‘family member’) accounts to registered parent accounts, made possible by the API’s failure to perform authorization checks.

Catch up on the latest IoT security news

Finally, when the family account is created the corresponding ‘’ and ‘’ are leaked and could be leveraged by attackers “to impersonate the ‘family member’ accounts, switch between the accounts of the family members, and query all their data”, according to a blog post penned by Tiron.

A fourth flaw, meanwhile, means attackers could take over any user account because the Android ‘password reset’ function fails to properly invalidate previously generated ‘forgot password’ tokens when a user requests a new ‘forgot password’ token (the function did not work at all on the iOS app).

“As a result, an attacker can request multiple tokens to be sent to the victim’s email, in order to increase his chances of guessing that code and changing the victim’s password,” said Tiron.

The fifth and final flaw saw the researcher bypass a limit of 16 family members per primary account, as the limit is enforced client-side but not server-side.

**Partial patch**

Tiron disclosed the flaws during September and October 2021. Yunmai’s support team responded to the initial disclosure, but the development team still has not replied, with Fortbridge last emailing them directly on May 18.

Tiron published his findings on May 30.

“To the best of my knowledge none of the findings have been fixed,” the researcher told The Daily Swig. “Last time I have checked on 12th of May, all findings were still unpatched.”

The researcher said he successfully circumvented the sole observed fix, for the ‘forgot password’ issue.

“Unfortunately, Yunmai users are exposed to these issues and there’s nothing they can do to protect themselves at the application level, because these are all issues with the backend API and only Yunmai developers can fix them,” Tiron continued.

“IoT devices have gained a bad reputation in terms of security in the last couple of years and it’s sad to see that things have not improved. We would have expected that Yunmai did at least a pen test before releasing this product or at least that they would have been more responsive when we reached out to them.”

We have invited Zhuhai Yunmai Technology to comment on these findings and will update the article if and when they reply.

As previously reported by The Daily Swig, Fortbridge research has last year included the discovery of serious remote code execution (RCE) vulnerabilities in popular open source content management systems (CMS’) Concrete and Joomla, as well as in web hosting platform cPanel & WHM.

YOU MIGHT ALSO LIKE Horde Webmail contains zero-day RCE bug with no patch on the horizon

Unpatched bug chain poses ‘mass account takeover’ threat to Yunmai weight monitoring app

Plus: The US admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved.

Not to freak out anyone, but there's a serious flaw in all supported versions of Microsoft Windows that allows attackers to take over your machine. The so-called Follina vulnerability can be exploited using a weaponized Word document, and security researchers say they've already spotted government-backed hackers using this attack in the wild. Fingers crossed that Microsoft, which has downplayed the severity of the flaw, issues a patch soon.

Speaking of patches, everything from Apple's iOS and Google Android to Chrome, Firefox, and Zoom received major security updates in May. Check out our complete list of available updates to see which apps you need to attend to as soon as possible.

We also explored the race to protect your voice from hackers and corporate greed. And we tried to unravel the mystery of China's sudden warnings about US state-sponsored hackers going after Chinese systems, despite the fact that these hacks are well known and happened ages ago.

Meanwhile, in India, the country's telecom regulator is preparing to crack down on robocall spam and scammers by requiring callers' names to appear on caller ID. The idea sounds good—until you realize the privacy implications and the fact that such a plan might not even work.

Finally, because nothing's sacred, Canada's privacy commissioner this week announced that a mobile app for Tim Hortons, the beloved coffee chain, illegally spied on its users' locations. The app, which used location-tracking tech from US-based firm Radar, collected a constant stream of users' location data—checking as frequently as every 2.5 minutes—and would create an “event” anytime a user “entered or left” their home, office, major sports complex, or rival coffee shop, according to the commissioner's office.

But that's not all, folks. Each week, we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there. 

If you lived in Illinois between May 1, 2015, and April 25, 2022, Google may owe you some cash. The company recently settled a class-action lawsuit over a feature in the Google Photos app that categorized photos of people based on their faces. The problem? According to the lawsuit, Google failed to receive consent to do so from millions of users, a violation of the state's Biometric Information Privacy Act. Google did not admit fault as part of the settlement, but it has agreed to pay $100 million and put in place measures to avoid further privacy violations. If you were an Illinois resident during that seven-year period and appeared in a photo uploaded to the Google Photos app, you can file a claim for your piece of the $100 million pie.

The blurry line between “at war” and “not at war” grew even fuzzier this week. General Paul Nakasone, the head of US Cyber Command and the NSA, told Sky News that the US military has conducted “a series of operations across the full spectrum," including “offensive, defensive, and information operations” in support of Ukraine's defense against Russia's invasion. Nakasone declined to detail what these operations entailed but assured that they were perfectly legal. The general's admission coincides with the US agreeing to provide Ukraine with advanced missile systems with a range of 50 miles. The Kremlin responded to this news by saying the US was “pouring fuel on the fire.”

As part of the US Supreme Court's investigation into the leak of a draft opinion overturning guaranteed abortion rights in the United States, the Court's clerks have been asked to turn over their private phone records and sign an affidavit, according to CNN. The “unprecedented” move is jarring for civil liberties advocates. As Albert Fox Cahn, found of the Surveillance Technology Oversight Project, writes for WIRED: “The intrusive probe reveals a disturbing about-face from the Supreme Court, and particularly Chief Justice John Roberts, on surveillance powers.” The clerks, meanwhile, are reportedly hesitant to refuse the demand for phone records or seek legal counsel for fear of being wrongly suspected of leaking the draft opinion to _Politico_ reporters.

A Trump-era conspiracy theory can finally be put to rest—theoretically, at least. A 52-page classified report into the “unmasking” of Michael Flynn, a former US national security adviser to Donald Trump, has now been made public thanks to a Freedom of Information Act request filed by Jason Leopold of Buzzfeed News. Republicans have long accused Obama administration operatives of revealing Flynn's name in classified material for political purposes in the lead-up to the 2016 election. But the Justice Department report, prepared by former US Attorney John Brash, found “no evidence that unmasking requests were made for political purposes or other inappropriate reasons during the 2016 election period or the ensuing transition period." Flynn ultimately resigned in 2017 for misleading vice president Mike Pence about Flynn’s calls with Russia's ambassador to the US.

Tag

#android