Lucene search

K
talosTalos IntelligenceTALOS-2018-0655
HistoryFeb 07, 2019 - 12:00 a.m.

Rakuten Viber Android Secret Chats Information Disclosure Vulnerability

2019-02-0700:00:00
Talos Intelligence
www.talosintelligence.com
19

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

20.2%

Summary

An exploitable information disclosure vulnerability exists in the “Secret Chats” functionality of Rakuten Viber on Android 9.3.0.6. The “Secret Chats” functionality allows a user to delete all traces of a chat either by using a time trigger or by direct request. There is a bug in this functionality which leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.

Tested Versions

Rakuten Viber Android 9.3.0.6

Product URLs

<http://www.viber.com>

CVSSv3 Score

4.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-359: Exposure of Private Information (‘Privacy Violation’)

Details

When a user takes a picture to send over a secret chat, a copy of that photo will remain on the Android filesystem even after the user deletes the chat. Or even if the chat is self-destructed.

The problem lies in the way Viber takes the photo upon user request. The class com.viber.voip.util.aj contains the code that takes the photo:

a var1 = new a(); var1.b = cq.h.a(var0, (String)null, false); if (var1.b != null) { var1.b = c.a(var1.b, var0, “com.viber.voip.provider.file”); « Path to safe photo }

if (n.b(true) && n.a(true)) { ArrayList var2 = new ArrayList(); Intent var3 = new Intent(“android.media.action.IMAGE_CAPTURE”); « Intent Creation var3.putExtra(“output”, var1.b); ViberActionRunner.a(var0, var3, var1.b); var2.add(var3); var1.a = Intent.createChooser((new Intent()).setType(“image/*”).setAction(“android.intent.action.PICK”), ViberApplication.getInstance().getString(2131822644));

var1.a.putExtra("android.intent.extra.INITIAL_INTENTS", (Parcelable[])var2.toArray(new Parcelable[0])); }

Viber uses the intent “android.media.action.IMAGE_CAPTURE” to take the photo. This means that the photo is actually taken by the application that is registered to act upon this action. Although Viber passes the path to save the picture it doesn’t control what the application does with the photo.

In most cases, the native camera application will save the photo on the Android file system next to saving the picture to the path passed by Viber.

This means that when a secret chat is deleted, Viber deletes the photo which resides in the path it provided to Mediastore, but not the one saved by the native camera application.

In order to avoid this issue Viber should implement its own photo taking code using the Camera2 class (Camera class could also be used but it as been deprecated on API level 21). This way the application can ensure that the photo data is not saved by a third party application.

Timeline

2018-09-05 - Vendor Disclosure 2019-02-07 - Public Release

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

20.2%

Related for TALOS-2018-0655