LG G3 'Snap' Vulnerability Leaves Owners At Risk of Data Theft (betanews.com)

← Back to Stories (view on slashdot.org)

LG G3 'Snap' Vulnerability Leaves Owners At Risk of Data Theft (betanews.com)

Posted by timothy on Sunday January 31, 2016 @09:38AM from the be-worried dept.

Mark Wilson writes: Security researchers have discovered a vulnerability in LG G3 smartphones which could be exploited to run arbitrary JavaScript to steal data. The issue has been named Snap, and was discovered by Israeli security firms BugSec and Cynet. What is particularly concerning about Snap is that it affects the Smart Notice which is installed on all LG G3s by default. By embedding malicious script in a contact, it is possible to use WebView to run server side code via JavaScript. If exploited, the vulnerability could be used to gather information from SD cards, steal data from the likes of WhatsApp, and steal private photos.

39 comments

Min score:

Reason:

Sort:

Another day, another Android security hole by Anonymous Coward · 2016-01-31 09:44 · Score: 0, Insightful

This is, again, why I have an iPhone
1. Re:Another day, another Android security hole by stoborrobots · 2016-01-31 09:54 · Score: 3, Insightful
  
  This is, again, why I have an iPhone.
  FTFY.
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:Another day, another Android security hole by Anonymous Coward · 2016-01-31 10:08 · Score: 4, Insightful
  
  Exactly, that's a nice list of patched vulnerabilities. Every one of those seems to be present in versions prior 9.2.
  Considering that the most prevalent version of Android is 4.4 Kit Kat, released in September 2013, this is also why I have an iPhone.
  While the G3 may (or may not) get an update to that specific piece of software, there are no guarantees. A similar vulnerability in an iOS would definitely be patched in the newest update.
3. Re:Another day, another Android security hole by JustAnotherOldGuy · 2016-01-31 10:10 · Score: 2, Informative
  
  This is, again, why I have an iPhone
  Yes, because no iphone has ever had a security vulnerability, now or in the future. It's impossible, IOS is simply impossible to hack, spoof, or do anything bad to, ever. It just can't be done, there is no way to do it. No one has ever hacked an IOS device and no one ever will. Ever. It's just completely out of the question. The words "vulnerability" and "IOS" should never even be found in the same paragraph, let alone the same sentence. IOS has never had a security vulnerability and never will, updates are strictly there to add exciting new features. Everyone knows that.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
4. Re:Another day, another Android security hole by EEPROMS · 2016-01-31 10:37 · Score: 5, Insightful
  
  This is also why I only have a Nexus, most of these security issues are with third party android handsets with most never getting timely updates (Google really needs to fix this issue). I buy a Nexus for the same reason you get an iphone, up_to_date_security_patches. Yes many of you will say "but, but you can use xyz third party android roms and they don't have this issue". The issue with that is android is now mainstream so 98% of android device owners do not have the ability or the knowledge to change the firmware. The fix is simple, Google needs to start enforcing better security policies on companies who want too use the Google android(tm) brand. People are just going to get sick of not having updates and move to GASP! Windows or Apple.
5. Re:Another day, another Android security hole by Anonymous Coward · 2016-01-31 10:38 · Score: 0
  
  Apple would definitely patch it with the newest iOS update. Where patch == "buy a new iPhone".
6. Re: Another day, another Android security hole by Anonymous Coward · 2016-01-31 10:39 · Score: 0
  
  3 words:
  Cyanogen Mod.
7. Re:Another day, another Android security hole by EEPROMS · 2016-01-31 10:41 · Score: 1
  
  you do realise the security through obscurity theory doesn't work either, there have been cases were there have been black hat hacks for i-devices for months and Apple didn't find out until it became a very public issue.
8. Re:Another day, another Android security hole by cyber-vandal · 2016-01-31 10:56 · Score: 5, Insightful
  
  These are all before 9.2 so have been patched on all devices from the 4S onwards. My Note 2 is still on KitKat and has numerous security vulnerabilities which Samsung don't give a shit about fixing.
9. Re: Another day, another Android security hole by cyber-vandal · 2016-01-31 11:02 · Score: 1
  
  That's two words and an up to date CM isn't available for every phone. The version available for my old Note 2 for example is based on KitKat. Even if CM supported every phone 100% that's still no excuse for the manufacturers to abandon their customers. The Note 2 was an expensive flagship phone. It should be getting the same kind of support that iPhones get. That's why I abandoned Android. The only Nexus available at the time was a ridiculously huge 6in one and I wanted one below 5in. For a high spec phone that left me two options: Apple or Sony and I didn't have any faith that Sony would update their handset in a reasonable time.
10. Re:Another day, another Android security hole by JustAnotherOldGuy · 2016-01-31 11:29 · Score: 0, Flamebait
  
  These are all before 9.2 so have been patched on all devices from the 4S onwards.
  
  My point stands, there has never been an IOS vulnerability and there never will be, except of course for all the ones they've found so far.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
11. Re:Another day, another Android security hole by peragrin · 2016-01-31 12:42 · Score: 0
  
  And once Apple found out about them they were patched. That is the difference. Android reported vulnerabilities can go I patched for years. In the iPhone Apple patches them all within weeks and within a month 70% of iPhones have been patched.
  Which is more secure a system that receives regular patches and gets users toI stall them or a system that can barely get users to install 10% of their updates.
  
  --
  i thought once I was found, but it was only a dream.
12. Re: Another day, another Android security hole by IBME · 2016-01-31 13:51 · Score: 0
  
  It is nice to know that iphone users can't be trusted to do shit but that which their apple overlords deem safe. Thank god for that.
13. Re:Another day, another Android security hole by stephanruby · 2016-01-31 13:52 · Score: 1
  
  My Note 2 is still on KitKat and has numerous security vulnerabilities which Samsung don't give a shit about fixing.
  To be fair, your KitKat Note 2 is using the latest Chromium webview that even Android Marshmallow is using (because Google is doing an end-run around the manufacturer updates for some of its component updates).
  I'm not sure why the LG G3 is not doing the same with SmartNotice. It looks like LG G3 is purposefully going out of its way not to use it for its SmartNotice functionality, despite the fact that it is indeed using the right most-up-to-date version of webview for everything else.
14. Re:Another day, another Android security hole by Anonymous Coward · 2016-01-31 14:16 · Score: 0
  
  Yea except those are all patched and auto updated on every phone. Tell that to my brother in law with his LG G3....
15. Re: Another day, another Android security hole by Blaskowicz · 2016-01-31 14:30 · Score: 1
  
  Two words : my buddy's LG phone is stuck on Android 4.1 and there appears to be *nothing* else available for it.
16. Re: Another day, another Android security hole by Anonymous Coward · 2016-01-31 15:13 · Score: 0
  
  2 words. 5 syllables. And his point doesn't change: Google needs to fix this for 98% of Android device owners who don't know how to mod their phones.
17. Re:Another day, another Android security hole by Anonymous Coward · 2016-01-31 16:48 · Score: 0
  
  because ios doesnt have to run on every type of phone just iphone so its easier to dev a patch quickly
18. Re: Another day, another Android security hole by cyber-vandal · 2016-01-31 19:44 · Score: 1
  
  Your point is irrelevant. Apple fixes its bugs and provides updates to devices that are over 4 years old. How many 4 year old Android phones are on Marshmallow? My old Note 2 from by far the biggest Android OEM is still on KitKat. I like Android but the fragmentation situation is ridiculous. Just buy a Nexus is a crap answer as well. The OEMs and carriers should be providing these updates in a timely manner but they aren't.
19. Re: Another day, another Android security hole by cyber-vandal · 2016-01-31 19:48 · Score: 1
  
  There are many other unpatched bugs. The Note 2 took over a year to get Kitkat and there were no updates in between. It's really poor from the biggest Android OEM.
20. Re: Another day, another Android security hole by MobileTatsu-NJG · 2016-01-31 20:27 · Score: 0
  
  Heh. Is the third word 'Microsoft'...?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
21. Re: Another day, another Android security hole by JustAnotherOldGuy · 2016-02-01 05:35 · Score: 1
  
  Your point is irrelevant. Apple fixes its bugs and provides updates to devices that are over 4 years old.
  BLASPHEMY!! No Apple product has ever had a security vulnerability, now or in the future. It's impossible. Apple is perfect and godlike, and death to the unbelievers!
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
22. Re: Another day, another Android security hole by cyber-vandal · 2016-02-02 04:21 · Score: 1
  
  That one's fixed too.
23. Re: Another day, another Android security hole by Anonymous Coward · 2016-02-02 06:55 · Score: 0
  
  Apple has security issues as well, they just dont publicly admit to it.
24. Re: Another day, another Android security hole by JustAnotherOldGuy · 2016-02-02 08:18 · Score: 1
  
  That one's fixed too.
  Thank goodness there will never again be another vulnerability in IOS.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
25. Re: Another day, another Android security hole by cyber-vandal · 2016-02-03 07:46 · Score: 1
  
  And that one too. I can do this all day. Where's the security fixes for my old Note 2 which is newer than the iPhone 4s? Nowhere in sight unless I install a ROM that may or may not support my hardware. The Android ecosystem sucks hard, regardless of the merits of the OS itself (which I like and use). I don't know why you're so ardently defending Samsung / HTC / Sony et al when they don't give a shit about your security. Apple are a bunch of scumbags, but a bunch of scumbags that actually fix their software, rather than leaving their users hanging out to dry.
Javascript for your operating system by Anonymous Coward · 2016-01-31 09:54 · Score: 1

When you use javasscript in places it shouldn't, thats what you get. Next up, javascript based self driving cars.
The best way to deal with this by Lirodon · 2016-01-31 10:00 · Score: 1

Stop using your phone's in-house launcher.
1. Re:The best way to deal with this by Anonymous Coward · 2016-01-31 10:06 · Score: 0
  
  Stop using your phone's in-house launcher.
  The best way is to root and install Cyanogen.
2. Re:The best way to deal with this by Anonymous Coward · 2016-02-01 02:37 · Score: 0
  
  So the exploit works thus:
  
  By embedding malicious script in a contact
  So maybe I'm out of touch with how people use their cell phones, but I create my contacts by hand, for people I know personally.
  Where are people getting malicious contacts from?
That's okay, though, 'cause it's LG... by Overzeetop · 2016-01-31 10:07 · Score: 3, Funny

...it should be patched by early February. In the year 2245.
Well, unless you have your G3 on Verizon, then you might just need to leave a note for Buck Rogers so that he can apply the patch. when it comes out.

--
Is it just my observation, or are there way too many stupid people in the world?
1. Re:That's okay, though, 'cause it's LG... by eclectro · 2016-01-31 12:16 · Score: 1
  
  ...it should be patched by early February. In the year 2245.
  And this is why LG is losing me as a customer. They drag their feet with every single security update, probably to "encourage" owners to upgrade. You'd think that they could afford to hire someone just to take care of the occasional security patch and update. That and they should be sued for their phones overheating because of the 810 processor. As good as the LG G4's camera is, Samsung's is on par with it and other's are catching up as well.
  
  --
  Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
2. Re:That's okay, though, 'cause it's LG... by Anonymous Coward · 2016-01-31 12:49 · Score: 0
  
  Actually, I saw a recent note that Verizon is now rolling out Android 6.01 (Marshmallow) for the LG G3 and that it contains this fix. Verizon also upgraded them all to 5.1.1, which almost no one else did.
3. Re: That's okay, though, 'cause it's LG... by dothasmurfysmurf · 2016-01-31 17:37 · Score: 1
  
  My G4 has been running marshmallow from the carrier's ota update for close to a month, it was one of the first phones in the states to get it. My G3 before it also got lollipop very quick, among the first phones to get it as well. The G4 uses the snapdragon 808, not 810, by the way. I used to be a Samsung user until I broke my galaxy s4 and decided to try out LG... I was tired of touchwiz, tired of the physical home button and capacitive keys... When I broke my galaxy s4, I looked at YouTube videos on repairing the screen... It looked like a nightmare- the glass is glued to the amoled display, you need a heat gun to soften it up enough to pry the glass off. I recently broke the screen on my G4, watched a video on how to repair and was surprised how simple it was... Ordered the replacement and when it arrived had it switched out and phone running in under 15 minutes, didn't even have to watch the video again to do it. It's also survived a drop into a full bathtub. I'm a very satisfied customer and imagine my next phone will be the G5 or possibly the V10 successor. Not a paid shill, just can't sign out of this damned account to my original one. ~jsh1972
4. Re:That's okay, though, 'cause it's LG... by Anonymous Coward · 2016-02-01 00:12 · Score: 0
  
  To be accurate, if you're in the US, you probably never were an LG phone customer. Your carrier is the customer. If you look at the ROM release date that LG makes available versus the carrier's release date, it's easy to see that it's not LG holding everything up. LG historically is one of the fastest to make the ROM available to the carriers. And both the carrier and LG have so many customers that neither cares whether a few leave because there are always more to replace them. No, I do now work for LG or any carrier nor do I know anyone who does.
sources by Anonymous Coward · 2016-01-31 10:31 · Score: 0

maybe next time BetaNews' Mark Wilson could link to the sources as well, instead of just his article.... and the issue is not named Snap... he just named it Snap... is it just me... or do tech journalists these days take too much privileges in their pieces?
Nobody's going to steal photos by BarbaraHudson · 2016-01-31 12:00 · Score: 1

All they have to do is wait for the user to upload them to facebook.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Was backdoor, now vulnerability by Anonymous Coward · 2016-01-31 12:23 · Score: 0

Someone who should have minded their own business found the BACKDOOR, now it's just a VULNERABILITY.
Not a vulnerability by Anonymous Coward · 2016-02-01 02:56 · Score: 0

It's how the gov't will gather info thru a 'back door' to avoid users encrypted passwords.