LG G3 'Snap' Vulnerability Leaves Owners At Risk of Data Theft (betanews.com) 39
Mark Wilson writes: Security researchers have discovered a vulnerability in LG G3 smartphones which could be exploited to run arbitrary JavaScript to steal data. The issue has been named Snap, and was discovered by Israeli security firms BugSec and Cynet. What is particularly concerning about Snap is that it affects the Smart Notice which is installed on all LG G3s by default. By embedding malicious script in a contact, it is possible to use WebView to run server side code via JavaScript. If exploited, the vulnerability could be used to gather information from SD cards, steal data from the likes of WhatsApp, and steal private photos.
Re: (Score:3, Insightful)
This is, again, why I have an iPhone [cvedetails.com].
FTFY.
Re:Another day, another Android security hole (Score:4, Insightful)
Exactly, that's a nice list of patched vulnerabilities. Every one of those seems to be present in versions prior 9.2.
Considering that the most prevalent [statista.com] version of Android is 4.4 Kit Kat, released in September 2013, this is also why I have an iPhone.
While the G3 may (or may not) get an update to that specific piece of software, there are no guarantees. A similar vulnerability in an iOS would definitely be patched in the newest update.
Re: (Score:2)
Re: (Score:1)
And once Apple found out about them they were patched. That is the difference. Android reported vulnerabilities can go I patched for years. In the iPhone Apple patches them all within weeks and within a month 70% of iPhones have been patched.
Which is more secure a system that receives regular patches and gets users toI stall them or a system that can barely get users to install 10% of their updates.
Re: (Score:2, Informative)
This is, again, why I have an iPhone
Yes, because no iphone has ever had a security vulnerability [cvedetails.com], now or in the future. It's impossible [cvedetails.com], IOS is simply impossible to hack [cvedetails.com], spoof, or do anything bad to, ever. It just can't be done [cvedetails.com], there is no way to do it. No one has ever hacked an IOS device [cvedetails.com] and no one ever will [cvedetails.com]. Ever. It's just completely out of the question. The words "vulnerability [cvedetails.com]" and "IOS" should never even be found [cvedetails.com] in the same paragraph, let alone the same sentence. IOS has never had a security vulnerability [cvedetails.com] and never will, updates are [cvedetails.com]
Re:Another day, another Android security hole (Score:5, Insightful)
These are all before 9.2 so have been patched on all devices from the 4S onwards. My Note 2 is still on KitKat and has numerous security vulnerabilities which Samsung don't give a shit about fixing.
Re: (Score:1, Flamebait)
These are all before 9.2 so have been patched on all devices from the 4S onwards.
My point stands, there has never been an IOS vulnerability and there never will be, except of course for all the ones they've found so far.
Re: Another day, another Android security hole (Score:2)
Your point is irrelevant. Apple fixes its bugs and provides updates to devices that are over 4 years old. How many 4 year old Android phones are on Marshmallow? My old Note 2 from by far the biggest Android OEM is still on KitKat. I like Android but the fragmentation situation is ridiculous. Just buy a Nexus is a crap answer as well. The OEMs and carriers should be providing these updates in a timely manner but they aren't.
Re: (Score:2)
Your point is irrelevant. Apple fixes its bugs and provides updates to devices that are over 4 years old.
BLASPHEMY!! No Apple product has ever had a security vulnerability [cvedetails.com], now or in the future. It's impossible. Apple is perfect and godlike, and death to the unbelievers!
Re: Another day, another Android security hole (Score:2)
That one's fixed too.
Re: (Score:2)
That one's fixed too.
Thank goodness there will never again be another vulnerability in IOS [cvedetails.com].
Re: (Score:2)
And that one too. I can do this all day. Where's the security fixes for my old Note 2 which is newer than the iPhone 4s? Nowhere in sight unless I install a ROM that may or may not support my hardware. The Android ecosystem sucks hard, regardless of the merits of the OS itself (which I like and use). I don't know why you're so ardently defending Samsung / HTC / Sony et al when they don't give a shit about your security. Apple are a bunch of scumbags, but a bunch of scumbags that actually fix their sof
Re: (Score:2)
My Note 2 is still on KitKat and has numerous security vulnerabilities which Samsung don't give a shit about fixing.
To be fair, your KitKat Note 2 is using the latest Chromium webview that even Android Marshmallow is using (because Google is doing an end-run around the manufacturer updates for some of its component updates).
I'm not sure why the LG G3 is not doing the same with SmartNotice. It looks like LG G3 is purposefully going out of its way not to use it for its SmartNotice functionality, despite the fact that it is indeed using the right most-up-to-date version of webview for everything else.
Re: Another day, another Android security hole (Score:2)
There are many other unpatched bugs. The Note 2 took over a year to get Kitkat and there were no updates in between. It's really poor from the biggest Android OEM.
Re:Another day, another Android security hole (Score:5, Insightful)
Re: (Score:2)
That's two words and an up to date CM isn't available for every phone. The version available for my old Note 2 for example is based on KitKat. Even if CM supported every phone 100% that's still no excuse for the manufacturers to abandon their customers. The Note 2 was an expensive flagship phone. It should be getting the same kind of support that iPhones get. That's why I abandoned Android. The only Nexus available at the time was a ridiculously huge 6in one and I wanted one below 5in. For a high spec
Re: (Score:2)
Two words : my buddy's LG phone is stuck on Android 4.1 and there appears to be *nothing* else available for it.
Re: (Score:1)
Heh. Is the third word 'Microsoft'...?
Javascript for your operating system (Score:1)
When you use javasscript in places it shouldn't, thats what you get. Next up, javascript based self driving cars.
The best way to deal with this (Score:2)
That's okay, though, 'cause it's LG... (Score:4, Funny)
...it should be patched by early February. In the year 2245.
Well, unless you have your G3 on Verizon, then you might just need to leave a note for Buck Rogers so that he can apply the patch. when it comes out.
Re: (Score:1)
...it should be patched by early February. In the year 2245.
And this is why LG is losing me as a customer. They drag their feet with every single security update, probably to "encourage" owners to upgrade. You'd think that they could afford to hire someone just to take care of the occasional security patch and update. That and they should be sued for their phones overheating because of the 810 processor. As good as the LG G4's camera is, Samsung's is on par with it and other's are catching up as well.
Re: That's okay, though, 'cause it's LG... (Score:1)
Nobody's going to steal photos (Score:2)