Скачать или смотреть LaBanquePostale Android application Vulnerability CVE-2014-5076

** New version (3.2.6) is no longer vulnerable !! ***

Labanquepostale application does not properly protects its 'Activities'.

One malicious application could send specific crafted Intents to invoke labanquepostale activities and disclosing sensitive bank user's data.

User must have logged in the application in order to get some content from the activities. Invoke directly one activity bypass the authentication mechanism and disclose previous supposely cached content.

Since I DO NOT have an account, invoked activities are still displayed, but no content is disclosed.

This video displays this vulnerability being exploited (version 3.2) but still works on version 3.2.5.

This vulnerability has been adressed to the CERT La Poste and, after several months, I decided to request a CVE to MITRE..



Timeline :
03/27/14 : Vulnerability identified & confirmed ;
03/27/14 : CERT La Poste mailed ;
03/28/14 : Call with CERT La Poste to explain the vulnerability and provide some patch tips ;
XX/XX/14 : Release of version 3.2.3 ;
05/27/14 : Release of version 3.2.5 ;
07/01/14 : Check if the vulnerability has been fixed. Vulnerability still present ;
07/01/14 : Mail sent to security engineer at CERT La Poste ;
07/01/14 : Mail sent to MITRE Corp. to request a CVE-ID ;
07/02/14 : Answer from security engineer : Vulnerability does no longer exists on non rooted phone.
07/03/14 : Test on non rooted Android OS smartphone with security engineer. Vulnerability is confirmed on both rooted and non rooted phone ;
07/03/14 : Persistant vulnerability has been reported again to La Banque Postale ;
07/24/14 : MITRE Corp assigned CVE-2014-5076 for the vulnerability ;
07/28/14 : Version 3.2.6 released with vulnerability fixed ;
07/31/14 : Vulnerability publicly disclosed.