Zero-Day allows you to bypass the sandbox on Google Admin

Once a security gap (0Day or Zero-Day) has been discovered that allows third-party applications to bypass the sandbox restrictions on the Google Admin console.
Google Admin
Security researcher Vahagn Vardanyan of MWR Labs says that defect, discovered through his Google Admin app , and allows third-party applications to bypass sandbox restrictions and read arbitrarily through symbolic links.

If the console receives a URL via an IPC call from another application on the same device, Android opens this link using WebView.

However, if an attacker uses a file: // URL that leads to a site that is controlled by him, then Vardanyan says it is likely to bypass the source policy and thus be able to retrieve the data from Google's sandbox Admin.

So if a malicious third-party application is installed and the attackers are in control, they will be able to read data from any file inside the Google Admin sandbox.

According to the researcher, the vulnerability can then be exploited when the setup_url is triggered via a sent link, which then causes a ResetPinActivity and activates the WebView with Google Admin console privileges. An attacker can add HTML to these links by including iframes – causing a one-second delay, while the sent to the WebView. The attacker can then delete this file and replace it with a symbolic link of the same name that points to a Google Admin file.

But let's talk a little about Google's hypocrisy.
The defect was first submitted to Google on 17 March. On 18 March, the security team of the company recognized the report and then asked for two weeks to develop and release an update with a patch.

In June, MWR Labs asked to know what happened with the patch, and later on in the same month, Google acknowledged that it had been delayed and requested another deadline before it was published to the public.

In July, security company announced its intentions to publish vulnerability in August.

To date Google has not released any update that fixes it . Για δική σας προστασία όσοι te Google Admin on your device you should not install or use any third-party application.

Hypocrisy now if you have not yet understood: The Google Project Zero Security Team is known because it publishes vulnerabilities after the developers who developed the application or the software that contains the vulnerability are notified. Always as stated in the company policy give a time limit of 90 days. After these 90 days, vulnerability is published to the public forcing the company to instantly update its product. Project Zero team has revealed vulnerabilities of Microsoft, Adobe and Apple without even extending the deadlines a day.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).