CVE-2023-35671: Android Flaw Could Let Attacker Make Unauthorized Payments

A security flaw in the Android App Pin feature could be abused by an attacker to make unauthorized payments via Google Wallet. The vulnerability, which has been patched in the September 2023 Android security updates, allows an attacker to read the full card number and expiry details from a locked device.

Labeled under the ominous title, CVE-2023-35671, this vulnerability isn’t your run-of-the-mill security issue. At its heart, it’s an information disclosure bug, a ticking time bomb that culminates in a logic error. The potential aftermath? It grants an attacker the nefarious capability to glean the full card number and expiration details.

The point of ingress for this flaw is the Android App Pin feature. For the uninitiated, Android introduced a robust security tool, initially coined as ‘screen pinning’, with its Android 5.0 Lollipop (API level 21) iteration in November 2014. Designed to be the vanguard of user control, privacy, and data security, app pinning allowed users to bolt their device to a singular app, creating a virtual fortress around other applications and confidential data.

In theory, this feature was a bastion against unauthorized meddling, designed to shine in scenarios requiring device sharing or a razor-sharp work focus. However, as Tiziano’s discovery underscores, even the mightiest walls have weak spots.

The flaw was discovered by white hat hacker Tiziano Marra. It exists in the HostEmulationManager.java file, which is responsible for handling NFC payments. The vulnerability occurs when a general-purpose NFC reader attempts to read the card data from a device that is in App Pin mode. Due to a logic error in the code, the reader can bypass the security restrictions and read the full card number and expiry details.

To exploit the CVE-2023-35671 vulnerability, an attacker would need to have physical access to the victim’s device. They would then need to place the device in App Pin mode and hold it near an NFC reader. Once the card data has been read, the attacker could use it to make unauthorized payments.

Accompanying his findings, the hacker also graciously presented a proof-of-concept exploit, spotlighting the gravity of this high-severity vulnerability.

The vulnerability is rated as high severity. It has been patched in the September 2023 Android security updates, so users are advised to update their devices as soon as possible.

In the meantime, there are a few things users can do to protect themselves from this vulnerability:

• Avoid using App Pin mode in public or other places where your device could be accessed by unauthorized people.
• Keep your device’s screen locked when you are not using it.
• Use a strong PIN or pattern to protect your device’s lock screen.
• Be careful about what apps you install on your device. Only install apps from trusted sources.

If you think that your device may have been affected by this vulnerability, you should contact your bank or credit card company immediately. They will be able to help you protect your account and prevent any unauthorized transactions.