SIK-2016-029


Title:

Google Search Information Leakage in Dashlane Password Manager Browser

Report ID

SIK-2016-029

Summary:

  • Vendor: Dashlane
  • Product: Dashlane Password Manager
  • Affected Version: Version Code=1378, Version Name=“4.3.3.1378-armeabi-v7a“
  • Severity: low-medium
  • Short summary:
    All search request in the LastPass browser can be eavesdroped by a man-in-the-middle attack. Furthermore all search strings were leaked to the logcat output.

Details:

The dashlane browser address bar integrates also searching. Entering a search term, it is forwarded to the Google search engine. The implemented log output writes the search request to the logcat output.

W/[DEV]( 2087): URI http://www.google.de/search?q=searchstring&gws_rd=cr&ei=17HfV97fHoPzUsGOsJgE
E/SearchEngines( 2087): Cannot load search engine google
W/cr_BindingManager( 2087): Cannot call determinedVisibility() - never saw a connection for
the pid: 2087
E/SearchEngines( 2087): Cannot load search engine google
E/SearchEngines( 2087): Cannot load search engine google
W/[DEV]( 2087): URI http://www.google.de/search?q=hello+world&gws_rd=cr&ei=EbPfV6DYIITeU735s_gF
E/SearchEngines( 2087): Cannot load search engine google
E/SearchEngines( 2087): Cannot load search engine google
W/cr_BindingManager( 2087): Cannot call determinedVisibility() - never saw a connection for
the pid: 2087
E/SearchEngines( 2087): Cannot load search engine google
W/[DEV]( 2087): URI https://www.google.de/search?q=hello+world&gws_rd=cr,ssl&ei=EbPfV6DYIITeU735s_gF
E/SearchEngines( 2087): Cannot load search engine google

Additionally a man-in-the-middle attacker can also eavesdrop the search requests, because it is sent to Google by http-request (see screen shot).

GET http://www.google.com/m?q=blubb
          302 text/html 274B 131ms
GET http://www.google.com/m?q=blubb&gws_rd=cr&ei=r7PfrV6eoCcKRUdL_idAL
          302 text/html 279B 98ms
GET http://www.google.com/m?q=something
          302 text/html 279B 97ms
GET http://www.google.com/m?q=something&gws_rd=cr&eivbPfV5CAHcPeUYTVsogM
          302 text/html 284B 67ms

Such a mitm attack on smartphones can be realized very easy by a rouge / compromised WIFI hotspot or GSM hotspot.

Workaround

Searching should not be done from the address bar, instead call Google directly (HTTPS) and enter search term in the Google search field.

Suggested Mitigation

Redirect search term to Google via HTTPS; do not use HTTP-based search requests.

Timeline

  • 2016-09-23 Vulnerability Discovered
  • 2016-09-26 Vulnerability Reported
  • 2016-10-25 Vulnerability Fixed