Security Problem: Screenshot Function

[ThomasHabets]

Original issue 402 created by TriplexAccount.P.N on 2014-07-08T10:27:41.000Z:

What steps will reproduce the problem?

1. Call Screenshot Function from the specific smartphone

What version of the product are you using? On what operating system?
Google Authentificator: 2.49

Please provide any additional information below.
In general, it is not possible to take a screenshot of any inner user interface from a banking app for security reason. The Google Authentificator can be comprimised by using a trojan with screenshot function. Please disable the ability to take a screenshot from the main interface from the Google Authentificator.

[ninp0]

Greetings,

From a responsible disclosure perspective, I have a PoC that takes advantage of this bug by taking a screenshot of Google Authenticator while it's running, OCRs the screenshot, and returns the text representation of the token. Where should I share this PoC?

[ThomasHabets]

Is this a cross-app vuln? What permissions are required, if any?

[ThomasHabets]

I opened google/google-authenticator-android#50 for the Android app, and leaving this one open for blackberry & iphone which are in this repo.

[ninp0]

The PoC I put together relies upon ADB to take the screen while Google Authenticator is up and running. From there adb pulls down the screen and OCRs out the token.

[ThomasHabets]

So it relies on physical access to an unlocked phone? Is there an attack that gives more access than eyeballs and writing it down, or someone snapping a picture?

[ninp0]

If that what it takes to get this closed out from 10/10/2014, I can focus some more time. The concern is screenshot blocking is something Authy already prevents...I imagine it's an easy fix?

https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE

[ThomasHabets]

I would imagine so. I'll look into it in google/google-authenticator-android#50 and will also check with the closed-source GA people.

[ThomasHabets]

If you would look at it and send a pull request I would greatly appreciate it.

[HaiImGeorge]

People recently noticed that this was a problem, nice.

[ThomasHabets]

The issue recently in press recently is, as I understand it, entirely about accessibility functionality that can't (?) be disabled (and for good reason, because accessibility), not about this issue which is about screenshots.

[fuhrmanator]

@HaiImGeorge I came here from this article. All about screenshots and malware taking them.

[ThomasHabets]

They linked to the wrong bug. this is the bug for the Android app.

And since they got that part wrong, I doubt if they know the difference between this bug (screenshots) and the recent articles about accessibility. IOW: what I just said a comment ago.

[ThomasHabets]

Also, for other people coming here from ZDNet:

FYI: The version in Google Play Store / Apple App store is not the same as this opensource version. They've diverged. This opensource version is also unlikely to end up in the app stores. This open source version doesn't get much love, but I'll accept well-written pull requests.

In other words: This bug does NOT track the issue describe in the article, for three reasons:

1. This bug is about non-Android, the article is about Android
2. This bug is about screenshots, which AFAIK is not the same issue
3. This repo does not contain the code for Google Authenticator that you can find in any app store what-so-ever