Numerous security vulnerabilities have been disclosed in many purposes and system parts within Xiaomi units managing Android.
“The vulnerabilities in Xiaomi led to access to arbitrary actions, receivers and products and services with process privileges, theft of arbitrary data files with system privileges, [and] disclosure of phone, configurations and Xiaomi account facts,” mobile security business Oversecured explained in a report shared with The Hacker News.
The 20 shortcomings affect different apps and parts like –
- Gallery (com.miui.gallery)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Phone Solutions (com.android.phone)
- Print Spooler (com.android.printspooler)
- Security (com.miui.securitycenter)
- Security Core Ingredient (com.miui.securitycore)
- Options (com.android.configurations)
- ShareMe (com.xiaomi.midrop)
- Method Tracing (com.android.traceur), and
- Xiaomi Cloud (com.miui.cloudservice)
Some of the notable flaws include a shell command injection bug impacting the Program Tracing app and flaws in the Options application that could enable theft of arbitrary information as effectively as leak info about Bluetooth units, connected Wi-Fi networks, and unexpected emergency contacts.
It is worthy of noting that although Phone Providers, Print Spooler, Configurations, and Technique Tracing are genuine components from the Android Open Source Task (AOSP), they have been modified by the Chinese handset maker to include additional functionality, main to these flaws.
Also learned is a memory corruption flaw impacting the GetApps application, which, in flip, originates from an Android library known as LiveEventBus that Oversecured explained was described to the venture maintainers in excess of a calendar year ago and remains unpatched to date.
The Mi Movie application has been located to use implicit intents to deliver Xiaomi account info, these as username and email tackle by means of broadcasts, which could be intercepted by any third-bash application put in on the devices employing its own broadcast receivers.
Oversecured explained the issues were claimed to Xiaomi within just a span of 5 days from April 25 to April 30, 2024. Customers are advised to apply the most up-to-date updates to mitigate versus probable threats.
Observed this article fascinating? Comply with us on Twitter and LinkedIn to examine a lot more exceptional content material we write-up.
Some parts of this article are sourced from:
thehackernews.com