SIK-2017-023

Title:

Attacker-Defined Toasts Possible in VR-SecureCARD App

Report ID

SIK-2017-023

Summary:

Vendor: Fiducia & GAD IT AG, Verwaltungssitz Münster
Product: VR-SecureCARD
Affected Version: 1.2.4
Severity: medium
Short summary: The attacker can display arbitrary strings as a toast inside the VR-SecureCARD app.

Details:

By sending a simple intent, the attacker can start the VR-SecureCARD app and display arbitrary text as a toast on top of the normal app. To the user, this text looks like a normal and legitimate notification from the app, which allows for phishing attacks.

Intent:

am start -n de.fgi.ms.vrsecurecard/de.coronic.cor03.client.android.ui.starting.StartingActivity --es "InitialToastMessage" "Hello"

IMG_20170127_101020

Workaround

Do not trust toasts from the VR-SecureCARD app.

Suggested Mitigation

Do not allow untrusted data to be displayed as a toast.

Timeline

2017-08-09: Vulnerability Discovered
2017-08-09: Developer contacted
2019-03-14: Vulnerability no longer reproducible