High Risk: CVE-2020-8913 have not been patched yet

A patch for a high-risk flaw (CVE-2020-8913) which found within the Google Play Core Library still not been included on several popular Google Play apps especially Edge.

The vulnerability exploit

A malicious attacker would have to convince the target’s victim that they will require to install the malicious application that been created by them in order to exploit the flaw within the device. Google Play Core Library would be a good vulnerable application to exploited via the malicious application.

Once the victim’s device have been handle with the payload, the attacker will loads it on the library and they will executes the attacks where the payload gains access privileges into anything that stored in the hosting application.

Some researchers have said that the flaw mention above can be considered as extremely easy to be exploited

They continues;

All you need to do is to create a ‘hello world’ application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path. Then sit back and watch the magic happen.

The potential impact of the flaw be look as serious and high-risk to some users and organization that will need to use the Google Play Core Library

The situations that came out from the flaw can be listed as follows:

  1. Attackers will injecting code into the applications in order to steal credentials and 2FA (two-factor authentication)
  2. Attacker also might be injecting code into enterprise applications
  3. Attacker will also injecting code into instant-messaging apps to response on victim’s behalf.

Source: Google Play Apps Remain Vulnerable to High-Severity Flaw