Advertisement






Google Cardboard Android / iOS Applications Information Disclosure

CVE Category Price Severity
CVE-2020-9227 CWE-200 $5000 High
Author Risk Exploitation Type Date
Bob Smith High Remote 2018-11-02
CPE
cpe:cpe:/a:google:cardboard:android_ios
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018110007

Below is a copy:

Google Cardboard Android / iOS Applications Information Disclosure
https://www.info-sec.ca/advisories/Google-Cardboard.html

Google Cardboard Android & iOS Applications - Unencrypted Third Party 
Analytics

Overview

"Cardboard puts virtual reality on your smartphone. The Cardboard app 
helps you launch your favorite VR experiences, discover new apps, and 
set up a viewer."

(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)

Issue

The Google Cardboard Android & iOS applications (Android version 1.8, 
iOS version 1.2 and below) sends potentially sensitive information such 
as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM, 
VRAM, screen size, device make and model, unencrypted to a third party 
site (Unity 3D Stats).

Impact

An attacker who can monitor network traffic could capture potentially 
sensitive information about the user's device without their knowledge.

Timeline

May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the 
privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be 
updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of 
November 1, 2018

Solution

The Google Cardboard Android & iOS applications as of November 1, 2018 
are affected.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum