• Home
  • Apps
  • Apps News
  • Bumble, OKCupid Android Apps Plagued With an Old Flaw That Puts Millions of Users’ Data at Risk: Check Point

Bumble, OKCupid Android Apps Plagued With an Old Flaw That Puts Millions of Users’ Data at Risk: Check Point

This known flaw, CVE-2020-8913, was patched by Google in April itself, but app developers must install the new Play Core library in order to make threat fully go away.

Bumble, OKCupid Android Apps Plagued With an Old Flaw That Puts Millions of Users’ Data at Risk: Check Point

Grindr, Bumble, OKCupid, Cisco Teams, Edge are reportedly still vulnerable to a dangerous flaw

Highlights
  • Google patched this bug in April and rated it 8.8 out of 10 in severity
  • Viber, Booking updated to patched versions after Check Point notification
  • Threat actors can use flaw to steal login details, passwords, financial d

Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector, and many other popular apps are still vulnerable to a Play Core library flaw that puts hundreds of millions of Android users' data to risk, research firm Check Point reports. This flaw was patched by Google in April itself, but app developers themselves must install new Play Core library in order to make threat fully go away. All of the above-mentioned apps are still on the old Play Core library version. Viber and Booking apps were also on the old version, but they soon updated their Play Core library, once intimated by Check Point.

Security researchers at Check Point say that these apps — Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector – are still vulnerable to the to the known vulnerability CVE-2020-8913, even after Google released its patch in April. The flaw is rooted in Google's widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability reportedly allows a threat actor to use these vulnerable apps to siphon off sensitive data from other apps on the same device, stealing users' private information, such as login details, passwords, financial details, and mail.

Google acknowledged this bug and rated it an 8.8 out of 10 in severity. It has been more than half a year since the patch has been rolled out by the tech giant, but app developers haven't themselves installed the Play Core library update. Check Point notes that 13 percent of Google Play apps analysed by them in September used the Google Play Core library, and 8 percent of those apps continued to have a vulnerable version. Viber and Booking apps updated to patched versions after Check Point notified them about the vulnerability.

Manager of Mobile Research, Check Point, Aviran Hazum says, “We're estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor's imagination.”

All users who have these malicious apps installed on their handsets are putting their sensitive data at risk. Before these apps update their Play Core library, it is recommended to uninstall these apps from your Android phones.


Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Tasneem Akolawala is a Senior Reporter for Gadgets 360. Her reporting expertise encompasses smartphones, wearables, apps, social media, and the overall tech industry. She reports out of Mumbai, and also writes about the ups and downs in the Indian telecom sector. Tasneem can be reached on Twitter at @MuteRiot, and leads, tips, and releases can be sent to tasneema@ndtv.com. More
Vivo Y52s With MediaTek Dimensity 720 SoC, Dual Rear Cameras Launched: Price, Specifications

Related Stories

Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2021. All rights reserved.
Listen to the latest songs, only on JioSaavn.com