A security vulnerability (0Day or Zero-Day) has just been disclosed that allows third-party applications to bypass console sandbox restrictions Google Admin.
Security researcher Vahagn Vardanyan of MWR Labs says that defect, discovered through the Google Admin app of Android, and allows third-party applications to bypass sandbox restrictions and read arbitrary files via symbolic links.
If the console receives a URL through a calls IPC call from another app on the same device, Android opens that link using WebView.
However, if an attacker used a file:// URL, which points to some by clicking here controlled by him, then as Vardanyan mentions it is possible to bypass the origin policy and thus he is able to retrieve the data from the Google Admin sandbox.
So if a malicious third-party application is installed and the attackers are in control, they will be able to read data from any file inside the Google Admin sandbox.
According to the researcher, the vulnerability could be exploited later when setup_url is enabled via a link that is sent, which then triggers ResetPinActivity and activates WebView with Google Admin console privileges. An attacker could add HTML to these links, including iframe - causing a second delay while the link is being sent to WebView. An attacker could then delete this file and replace it with a symbolic link with the same name that points to a Google Admin file.
But let's talk a little about Google's hypocrisy.
The defect was first submitted to Google on 17 March. On 18 March, the security team of the company recognized the report and then asked for two weeks to develop and release an update with a patch.
In June, MWR Labs asked to know what happened with the patch, and later on in the same month, Google acknowledged that it had been delayed and requested another deadline before it was published to the public.
In July, security company announced its intentions to publish vulnerability in August.
So far, Google has not released any fixes that fix the problem. For your own protection, those who use Google Admin on your device will not have to install or use any third-party application.
The hypocrisy now if you haven't figured it out yet: Google's security team Project Zero είναι γνωστή γιατί δημοσιεύσει ευπάθειες μετά την ενημέρωση των developers που ανέπτυξαν την εφαρμογή ή το λογισμικό που περιέχει την ευπάθεια. Πάντα όπως αναφέρει η πολιτική της εταιρείας δίνουν μια προθεσμία 90 ημερών. Μετά από αυτές τις 90 μέρες η ευπάθεια δημοσιεύεται στο κοινό αναγκάζοντας την εταιρεία να ενημερώσει άμεσα το προϊόν της. Η ομάδα Project Zero έχει αποκαλύψει ευπάθειες της Microsoft, Adobe and Apple without giving a single day extension to the deadlines.
