Home | Android Bugs | CTFs

$AT&T Drivemode Android Bug Bounty

Below is the discovery for a vulnerability in AT&T's Drivemode Android application. The bug is now remediated.

Vulnerable Website URL or Application

https://play.google.com/store/apps/details?id=com.drivemode&feature=nav_result

Description of Security Issue

https://play.google.com/store/apps/details?id=com.drivemode&feature=nav_result
This report is for the Android AT&T DriveMode application (Version 1.0.4.2, Version Code 1030570). Tested on a Google Nexus 5 with Android 5.0. When choosing a new contact to import to the Allow List, the application stores the inputted data in a ContentProvider located at: "content://com.drivemode.contentprovider.ContactsProvider/allowlist". This ContentProvider is unprotected, allowing any application with knowledge of the Provider URI to query it for data without any additional permissions. This allows for name and phone number leakage of the contact list if the user chooses to import their existing contacts.

Exploit Scenario of Vulnerability

An existing application on the phone may retrieve a Cursor to the ContentProvider and iterate it to retrieve the data stored (See code snippet).

Steps needed to reproduce bug

1. Start the Drivemode application.
2. Insert/import at least one contact into the Allow List.
3. Run the snippet below in a separate, unprivileged Android application and view the Logcat output to show the data leakage.