SIK-2016-029
Title:
Google Search Information Leakage in Dashlane Password Manager Browser
Report ID
SIK-2016-029
Summary:
- Vendor: Dashlane
- Product: Dashlane Password Manager
- Affected Version: Version Code=1378, Version Name=“4.3.3.1378-armeabi-v7a“
- Severity: low-medium
- Short summary:
All search request in the LastPass browser can be eavesdroped by a man-in-the-middle attack. Furthermore all search strings were leaked to the logcat output.
Details:
The dashlane browser address bar integrates also searching. Entering a search term, it is forwarded to the Google search engine. The implemented log output writes the search request to the logcat output.
W/[DEV]( 2087): URI http://www.google.de/search?q=searchstring&gws_rd=cr&ei=17HfV97fHoPzUsGOsJgE E/SearchEngines( 2087): Cannot load search engine google W/cr_BindingManager( 2087): Cannot call determinedVisibility() - never saw a connection for the pid: 2087 E/SearchEngines( 2087): Cannot load search engine google E/SearchEngines( 2087): Cannot load search engine google W/[DEV]( 2087): URI http://www.google.de/search?q=hello+world&gws_rd=cr&ei=EbPfV6DYIITeU735s_gF E/SearchEngines( 2087): Cannot load search engine google E/SearchEngines( 2087): Cannot load search engine google W/cr_BindingManager( 2087): Cannot call determinedVisibility() - never saw a connection for the pid: 2087 E/SearchEngines( 2087): Cannot load search engine google W/[DEV]( 2087): URI https://www.google.de/search?q=hello+world&gws_rd=cr,ssl&ei=EbPfV6DYIITeU735s_gF E/SearchEngines( 2087): Cannot load search engine google
Additionally a man-in-the-middle attacker can also eavesdrop the search requests, because it is sent to Google by http-request (see screen shot).
GET http://www.google.com/m?q=blubb 302 text/html 274B 131ms GET http://www.google.com/m?q=blubb&gws_rd=cr&ei=r7PfrV6eoCcKRUdL_idAL 302 text/html 279B 98ms GET http://www.google.com/m?q=something 302 text/html 279B 97ms GET http://www.google.com/m?q=something&gws_rd=cr&eivbPfV5CAHcPeUYTVsogM 302 text/html 284B 67ms
Such a mitm attack on smartphones can be realized very easy by a rouge / compromised WIFI hotspot or GSM hotspot.
Workaround
Searching should not be done from the address bar, instead call Google directly (HTTPS) and enter search term in the Google search field.
Suggested Mitigation
Redirect search term to Google via HTTPS; do not use HTTP-based search requests.
Timeline
- 2016-09-23 Vulnerability Discovered
- 2016-09-26 Vulnerability Reported
- 2016-10-25 Vulnerability Fixed