Advertisement






Google Cardboard Android / iOS Applications Information Disclosure

CVE Category Price Severity
CVE-2020-9227 CWE-200 $5000 High
Author Risk Exploitation Type Date
Bob Smith High Remote 2018-11-02
CPE
cpe:cpe:/a:google:cardboard:android_ios
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018110007

Below is a copy:

Google Cardboard Android / iOS Applications Information Disclosure
https://www.info-sec.ca/advisories/Google-Cardboard.html

Google Cardboard Android & iOS Applications - Unencrypted Third Party 
Analytics

Overview

"Cardboard puts virtual reality on your smartphone. The Cardboard app 
helps you launch your favorite VR experiences, discover new apps, and 
set up a viewer."

(https://play.google.com/store/apps/details?id=com.google.samples.apps.cardboarddemo)
(https://itunes.apple.com/us/app/google-cardboard/id987962261)

Issue

The Google Cardboard Android & iOS applications (Android version 1.8, 
iOS version 1.2 and below) sends potentially sensitive information such 
as OS, CPU architecture, graphics chip vendor & version, CPU count, RAM, 
VRAM, screen size, device make and model, unencrypted to a third party 
site (Unity 3D Stats).

Impact

An attacker who can monitor network traffic could capture potentially 
sensitive information about the user's device without their knowledge.

Timeline

May 9, 2017 - Notified Google of the issue
May 9, 2017 - Google sent an auto acknowledgment
May 10, 2017 - Google responded stating that they are investigating
May 18, 2017 - Asked for an update
May 19, 2017 - Google acknowledged the issue
June 6, 2017 - Google provided the information to their development team
June 6, 2017 - Provided additional information to Google about the 
privacy considerations
June 8, 2017 - Google advised that they are working on the issue
July 5, 2017 - Asked for an update
July 6, 2017 - Google provided an update
July 20, 2017 - Asked for an update
July 24, 2017 - Google advised that they expect the applications will be 
updated in 2-4 months
November 20, 2017 - Asked whether the release is on schedule
November 24, 2017 - Google provided an update
December 13, 2017 - Asked for an update
December 14, 2017 - Google provided an update
May 28, 2018 - Asked for an update
June 8, 2018 - Google provided an update
August 24, 2018 - Notified Google of a planned disclosure date of 
November 1, 2018

Solution

The Google Cardboard Android & iOS applications as of November 1, 2018 
are affected.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.