Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
23 lines (16 sloc) 993 Bytes
########Found following vulnerability in Android Phone (Xiaomi Mi A1)########
Android Fingerprint (Tested on):
xiaomi/tissot/tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE:user/release-keys
Vulnerability:
Hotspot Password is leaking in clear text in Logcat
Description:
When the user set up his Mi A1 hotspot, the password set by the user is leaking in clear text in logcat.
Attack Scenario:
Any malicious application can read the password through logcat & send it to the attacker.
If the attacker is near the victim, he will be able to connect to the user's network.
Steps to Reproduce:
1) Start monitoring the phone's logcat through "adb shell logcat" [append the logs into a file]
2) Now, just set up a new hotspot with any password & start the hotspot.
3) Just search for your password in the file create at step 1. You will see that the hotspot password is leaking in clear text in logcat.
CVE-ID: CVE-2018-18698
Hall of Fame: https://sec.xiaomi.com/fame?year=2018&month=08