Once a security gap (0Day or Zero-Day) has been discovered that allows third-party applications to bypass the sandbox restrictions on the Google Admin console.
Security researcher Vahagn Vardanyan of MWR Labs says that defect, discovered through his Google Admin app Android, and allows third-party applications to bypass sandbox restrictions and read arbitrarily archives through symbolic links.
If the console receives a URL via an IPC call from another application on the same device, Android opens this link using WebView.
However, if an attacker uses a file: // URL that leads to a site that is controlled by him, then Vardanyan says it is likely to bypass the source policy and thus be able to retrieve the data from Google's sandbox Admin.
So if a malicious third-party application is installed and the attackers are in control, they will be able to read data from any file inside the Google Admin sandbox.
According to the researcher, the vulnerability can then be exploited when the setup_url is triggered via a sent link, which then causes a ResetPinActivity and activates the WebView with Google Admin console privileges. An attacker can add HTML to these links by including iframes – causing a one-second delay, while the link sent to the WebView. The attacker can then delete this file and replace it with a symbolic link of the same name that points to a Google Admin file.
But let's talk a little about Google's hypocrisy.
The defect was first submitted to Google on 17 March. On 18 March, the security team of the company recognized the report and then asked for two weeks to develop and release an update with a patch.
In June, MWR Labs asked to know what happened with the patch, and later on in the same month, Google acknowledged that it had been delayed and requested another deadline before it was published to the public.
In July, security company announced its intentions to publish vulnerability in August.
To date Google has not released any update that fixes it problem. Για δική σας προστασία όσοι useste Google Admin on your device you should not install or use any third-party application.
Hypocrisy now if you have not yet understood: The Google Project Zero Security Team is known because it publishes vulnerabilities after the developers who developed the application or the software that contains the vulnerability are notified. Always as stated in the company policy give a time limit of 90 days. After these 90 days, vulnerability is published to the public forcing the company to instantly update its product. Project Zero team has revealed vulnerabilities of Microsoft, Adobe and Apple without even extending the deadlines a day.