This was not the first time that the Android system topped the article titles because of a new loophole that was found, as was the case with other operating systems of course. However, the difference this time is that there is no responsibility for the system and its administrators. The vulnerability that allows private tweets to be read in the Twitter application, and the second, which allows access to the user's entire files via Wi-Fi networks, In the Android security interfaces.
Twitter loophole
"A Twitter loophole on Android has enabled the reading of private tweets for five years," said the report of the technology-related news site Engadget, with social media users moving the news with a focus on Android than Twitter, For Google, rather than Twitter engineers who failed to discover the hole that remained buried for nearly five years (1) (2).
Android users can breathe a sigh of relief as Twitter fixes the bug that exposed their private tweets https://t.co/1ZdwuJriAK - Republic (@republic) January 18, 2019 |
Twitter officially disclosed the flaw on January 14 after being fixed and confirmed that it was not in the browser version and on the iOS system, it acknowledged its shortcomings and confirmed that the gap has existed since November 3, 2014, this after launching a new update to the application on the Android system (3).
As for the mechanism of the vulnerability, and the damage caused by it, it allowed reading the tweets of users who chose to be private accounts, which means that the tweets will appear only to followers who agree with the account holder, rather than being public to everyone. It is worth mentioning that the vulnerability did not infect all Twitter users on Android, but hit the users who changed the account settings in the above period. Apparently, the app did not send the private twitter option to the company's servers, so Twitter shows up for everyone without the users' knowledge.
Twitter has notified some of those who have been affected by this vulnerability, while others have been prompted to go to the account settings and make sure that the "Protect your Tweets" option is enabled, and only for those who want to see what they share with their followers. Otherwise, if you want to leave tweets publicly available, the vulnerability will never have an effect, and there is no need to make sure the settings are correct.
Steal images and files
The Android application gap can be considered very simple after looking at the vulnerability of the ES File Explorer application, which allows anyone connected on the same wireless network as an Android phone to steal files, including photos and videos Stored on the phone memory, or on external memory (4).
Yaaa Sater |
The application basically allows users to manage their files on the device, just like the tools provided by the computer operating systems, the user can create folders to arrange the images within, or hide some, without forgetting the possibility of sharing files with other devices easily. The problem is that there is a secret server inside the application running on port 59777 that puts user privacy in the wind.
Each device connected to the Internet has its own IP address to distinguish it from other devices. This means that the smartphone will have its own address, but not "192.168.1.20" to name a few. The presence of the application, because of the vulnerability that was discovered, means that port request 59777 is enabled, this is in the format "192.168.1.20:59777", thus accessing user files.
The previous request can be done by anyone who communicates on the same network, and with tools capable of translating the data sent by that port, many operations can be performed, including knowledge of applications on the phone, reading and copying files, without the device owner's knowledge.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager. |
The vulnerability exists in version 4.1.9.7.4 and earlier. The application owners confirmed that they completely closed it and sent the update to Google for publication on the store, pending approval, and here it is recommended to update immediately and ensure the use of the latest version of the application (5). It is noteworthy that Mohamed Abdel Basset, a specialist in the field of digital security, confirmed that they found a similar gap in the application of "Air Droid" (AirDroid), an application that allows the management of devices running Android system by computer, (6), but this is not Means that the blame lies on the Android system.
For such situations, experts always advise to update operating systems and applications on a timely basis. Ignoring this command opens up a myriad of security vulnerabilities. If updates from the store can not be installed for one reason or another, secure alternatives can be used to allow all applications to be loaded with the latest versions as soon as they are released.