Three of LG’s phones from its flagship G series were recently found to have vulnerabilities that would enable hackers to access files stored in the cloud using these handsets. The vulnerabilities are marked as high-severity issues, so owners should be wary of using their phones for storing important or very personal files and documents.
This week, cyber security solutions company MWR Labs published reports about two vulnerabilities it has found in the LG G3, LG G4 and LG G5 smartphones. The first report is labeled “LG Cloud Backup Application Path Traversal Vulnerability,” while the second one is entitled “LG G3 Arbitrary File Retrieval from Cloud Services.”
MWR Labs stated that the first vulnerability is found in the SmartShare.Cloud application that’s designed to give users access to various cloud services like Dropbox and Box from native applications. Specifically, the issue was discovered in the URL parameter. Attackers can alter the API call if they have knowledge of the names of the files and folders phone owners stored on Dropbox.
The Traversal Vulnerability will therefore allow attackers connected to the same network as any of the three phones to access media files or folders and make them shareable sans authentication. Owners will not even notice that someone made changes on the data stored on Dropbox.
Although the second vulnerability is labeled as an issue on the LG G3, MWR Labs noted that this affects the other two G flagship handsets as well. The vulnerability is present when the phones are connected to a WiFi network. The SmartShare.Cloud app automatically launches an HTTP Server that listens on all interfaces, giving attackers the advantage of retrieving files without authentication.
The severity of the two vulnerabilities may be high, but XDA Developers pointed out that attackers can only take advantage of these issues when they are connected to the same network as the G3, G4 and G5. The mobile software development site also stated that these vulnerabilities were discovered in the middle of the month — something unusual given that Android vulnerabilities are typically reported on a monthly basis.
LG already has a security update that fixes the vulnerabilities. Owners of the affected devices are advised to upgrade them to the latest OTA update version 2.4.0 because this can mitigate both problems. Users should check if the OTA update is already available in their region. If not, the best workaround is to avoid storing important and personal files and folders on Dropbox until the update is available for all three phones, as per Android Headlines.