Vulnerability CVE-2018-17400


Published: 2018-09-23   Modified: 2018-09-24

Description:
** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots.

Type:

CWE-noinfo

CVSS2 => (AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.2/10
2.9/10
1.9/10
Exploit range
Attack complexity
Authentication
Local
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Phonepe -> Phonepe 

 References:
https://github.com/magicj3lly/appexploits/blob/master/PhonePe-%20Authentication%20Bypass-1.pdf

Copyright 2024, cxsecurity.com

 

Back to Top