Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

[VS-2017-002] Dolphin Browser for Android Insecure Intent URI Scheme Parsing Vulnerability

CVE ID

CVE-2017-17553

CVSS Score

https://nvd.nist.gov/vuln/detail/CVE-2017-17553

Vendor

Mobotap

Product

Dolphin Browser for Android < 12.0.2

Vulnerability Details

The Dolphin Browser for Android 12.0.2 suffers from an insecure parsing implementation of the Intent URI scheme. This vulnerability could allow attackers to abuse this implementation through a malicious Intent URI, in order to invoke private Activities within the Dolphin Browser.

Vendor Response

Mobotap has not issued a reponse nor an update to remediate this vulnerability

Disclosure Timeline

  • 2017-11-28 - Reached out on Twitter and asked to speak with someone who is responsible for product security
  • 2017-12-04 - Emailed requesting to speak with someone who can address security issues in the Dolphin Browser for Android, no response
  • 2017-12-07 - Emailed to verify initial email was received, no response
  • 2017-12-10 - Emailed to inform the public release of an advisory, CC'ed security@dolphin.com and received a bounce on the email address
  • 2017-12-11 - Public zero day release of advisory

Credit

Benjamin Watson of VerSprite Security (@rotlogix)