Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Problem: Screenshot Function #401

Open
ThomasHabets opened this issue Oct 10, 2014 · 13 comments
Open

Security Problem: Screenshot Function #401

ThomasHabets opened this issue Oct 10, 2014 · 13 comments
Assignees

Comments

@ThomasHabets
Copy link
Contributor

@ThomasHabets ThomasHabets commented Oct 10, 2014

Original issue 402 created by TriplexAccount.P.N on 2014-07-08T10:27:41.000Z:

What steps will reproduce the problem?

  1. Call Screenshot Function from the specific smartphone

What version of the product are you using? On what operating system?
Google Authentificator: 2.49

Please provide any additional information below.
In general, it is not possible to take a screenshot of any inner user interface from a banking app for security reason. The Google Authentificator can be comprimised by using a trojan with screenshot function. Please disable the ability to take a screenshot from the main interface from the Google Authentificator.

@ninp0

This comment has been minimized.

Copy link

@ninp0 ninp0 commented Aug 26, 2016

Greetings,

From a responsible disclosure perspective, I have a PoC that takes advantage of this bug by taking a screenshot of Google Authenticator while it's running, OCRs the screenshot, and returns the text representation of the token. Where should I share this PoC?

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Aug 26, 2016

Is this a cross-app vuln? What permissions are required, if any?

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Aug 26, 2016

I opened google/google-authenticator-android#50 for the Android app, and leaving this one open for blackberry & iphone which are in this repo.

@ninp0

This comment has been minimized.

Copy link

@ninp0 ninp0 commented Aug 26, 2016

The PoC I put together relies upon ADB to take the screen while Google Authenticator is up and running. From there adb pulls down the screen and OCRs out the token.

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Aug 26, 2016

So it relies on physical access to an unlocked phone? Is there an attack that gives more access than eyeballs and writing it down, or someone snapping a picture?

@ninp0

This comment has been minimized.

Copy link

@ninp0 ninp0 commented Aug 26, 2016

If that what it takes to get this closed out from 10/10/2014, I can focus some more time. The concern is screenshot blocking is something Authy already prevents...I imagine it's an easy fix?

https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Aug 26, 2016

I would imagine so. I'll look into it in google/google-authenticator-android#50 and will also check with the closed-source GA people.

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Aug 26, 2016

If you would look at it and send a pull request I would greatly appreciate it.

@HaiImGeorge

This comment has been minimized.

Copy link

@HaiImGeorge HaiImGeorge commented Mar 8, 2020

People recently noticed that this was a problem, nice.

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Mar 8, 2020

The issue recently in press recently is, as I understand it, entirely about accessibility functionality that can't (?) be disabled (and for good reason, because accessibility), not about this issue which is about screenshots.

@fuhrmanator

This comment has been minimized.

Copy link

@fuhrmanator fuhrmanator commented Mar 9, 2020

@HaiImGeorge I came here from this article. All about screenshots and malware taking them.

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Mar 9, 2020

They linked to the wrong bug. this is the bug for the Android app.

And since they got that part wrong, I doubt if they know the difference between this bug (screenshots) and the recent articles about accessibility. IOW: what I just said a comment ago.

@ThomasHabets

This comment has been minimized.

Copy link
Contributor Author

@ThomasHabets ThomasHabets commented Mar 9, 2020

Also, for other people coming here from ZDNet:

FYI: The version in Google Play Store / Apple App store is not the same as this opensource version. They've diverged. This opensource version is also unlikely to end up in the app stores. This open source version doesn't get much love, but I'll accept well-written pull requests.

In other words: This bug does NOT track the issue describe in the article, for three reasons:

  1. This bug is about non-Android, the article is about Android
  2. This bug is about screenshots, which AFAIK is not the same issue
  3. This repo does not contain the code for Google Authenticator that you can find in any app store what-so-ever
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.