Once a security gap (0Day or Zero-Day) has been discovered that allows third-party applications to bypass the sandbox restrictions on the Google Admin console.
Security researcher Vahagn Vardanyan of MWR Labs says that defect, discovered through the Google Admin app of Android, and allows third-party applications to bypass sandbox restrictions and read arbitrary files via symbolic links.
If the console receives a URL through an IPC call from another application that resides in it device, Android opens this link using WebView.
However, if an attacker uses a file: // URL that leads to a site that is controlled by him, then Vardanyan says it is likely to bypass the source policy and thus be able to retrieve the data from Google's sandbox Admin.
So if a malicious third-party application is installed and the attackers are in control, they will be able to read data from any file inside the Google Admin sandbox.
According to the researcher, the vulnerability could be exploited later when setup_url is enabled via a link that is sent, which then triggers ResetPinActivity and activates WebView with Google Admin console privileges. An attacker could add HTML to these links, including iframe - causing a second delay while the link is being sent to WebView. An attacker could then delete this file and replace it with a symbolic link with the same name that points to a Google Admin file.
But let's talk a little about Google's hypocrisy.
The flaw was first reported to Google on March 17. On March 18, the company's security team acknowledged the report and then requested two weeks to develop and release an updated version with a patch.
In June, MWR Labs asked to know what happened with the patch, and later on in the same month, Google acknowledged that it had been delayed and requested another deadline before it was published to the public.
In July, security company announced its intentions to publish vulnerability in August.
To date Google has not released any information which fixes the problem. For your own protection those using Google Admin on your device should not install or use any third party applications.
The hypocrisy now if you haven't figured it out yet: Google's security team Project Zero is known for publishing vulnerabilities after notifying the developers who developed the app or software that contains the vulnerability. Always as the company policy states they give a deadline of 90 days. After these 90 days the vulnerability is published to the public forcing the company to immediately update its product. The Project Zero team has exposed vulnerabilities of Microsoft, Adobe and Apple without giving a single day extension to the deadlines.
