- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Android Apps Fail to Protect User Data During Device Transfer
Multiple Android applications have been observed not invalidating or revalidating session cookies during app data transfer from one device to another.
The technique would enable attackers with a highly privileged device migration tool to move applications to a new Android device, causing migration issues, according to a new advisory by CloudSEK researchers.
“This means if a person is able to have physical access to your unlocked device for some time, he/she can copy your app data onto his/her device and impersonate you and your accounts, thus using the applications on your behalf without entering login ID or passwords,” the company wrote.
CloudSEK explained that in specific applications such as WhatsApp, the actors could also bypass the 2FA mechanism. The security experts validated the claims by conducting an experiment using two Realme devices.
“This issue happens as the secret keys used by WhatsApp gets copied over to the new phone. Because of this, on WhatsApp’s side, these two devices look like they are the same since they use the same credentials to authenticate to us.”
In the advisory, CloudSEK said it reported the vulnerability to Meta, which considered it a social engineering scenario and disregarded it as a security issue. Meta has not immediately replied to Infosecurity’s comment request on the matter.
“[We] tried replicating the same method with Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and requested a new login,” clarified CloudSEK.
Other popular apps that failed to invalidate session cookies include Canva, Snapchat, Telegram, LinkedIn, Discord and Booking.com.
“To mitigate this threat, it is essential to secure your phone with a password,” CloudSEK warned. “If you are unable to download an app yourself, refrain from handing your device to another individual to download it on your behalf. It is important to carefully review the permissions required by an app before granting them access and to revoke permissions when the task is complete.”
The advisory comes weeks after Google unveiled a new policy for Android apps to mandate the addition of deletion option for both user accounts and the data associated with them.