https://www.info-sec.ca/advisories/Google-Cardboard.html Google Cardboard Android & iOS Applications - Unencrypted Third Party Analytics Overview "Cardboard puts virtual reality on your smartphone. The Cardboard app helps you launch your favorite VR experiences, discover new apps, and set up a viewer." (https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo) (https://itunes.apple.com/us/app/google-cardboard/id987962261) Issue The Google Cardboard Android & iOS applications (Android version 1.8, iOS version 1.2 and below) sends potentially sensitive information such as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM, VRAM, screen size, device make and model, unencrypted to a third party site (Unity 3D Stats). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the user's device without their knowledge. Timeline May 9, 2017 - Notified Google of the issue May 9, 2017 - Google sent an auto acknowledgment May 10, 2017 - Google responded stating that they are investigating May 18, 2017 - Asked for an update May 19, 2017 - Google acknowledged the issue June 6, 2017 - Google provided the information to their development team June 6, 2017 - Provided additional information to Google about the privacy considerations June 8, 2017 - Google advised that they are working on the issue July 5, 2017 - Asked for an update July 6, 2017 - Google provided an update July 20, 2017 - Asked for an update July 24, 2017 - Google advised that they expect the applications will be updated in 2-4 months November 20, 2017 - Asked whether the release is on schedule November 24, 2017 - Google provided an update December 13, 2017 - Asked for an update December 14, 2017 - Google provided an update May 28, 2018 - Asked for an update June 8, 2018 - Google provided an update August 24, 2018 - Notified Google of a planned disclosure date of November 1, 2018 Solution The Google Cardboard Android & iOS applications as of November 1, 2018 are affected.
Copyright ©2022 Exploitalert.