CVE-2022-1130: Critical Vulnerability in WebOTP in Google Chrome on Android - Potential for Remote Attackers Sending Arbitrary Intents

In this long-read post, we will be discussing a critical security vulnerability identified as CVE-2022-1130. The issue lies in the insufficient validation of trust input in WebOTP, a feature in the Google Chrome browser on Android platforms prior to version 100..4896.60.

This vulnerability allows a remote attacker to send arbitrary intents from any app using a malicious app, posing a severe threat to users' sensitive information and overall security. We will delve deep into the exploit details, provide code snippets, and share the original references to help you understand and tackle this critical issue.

Background

WebOTP, or Web One-Time Password, is a web-based mechanism for generating and consuming one-time passwords (OTPs) directly in a browser, without requiring additional hardware or software tokens. However, it has been discovered that Google Chrome's implementation of WebOTP on Android platforms has a significant security flaw, which is tracked as CVE-2022-1130.

The Vulnerability - CVE-2022-1130

Insufficient validation of trust input allows a remote attacker to send arbitrary intents from any app via a malicious app. This issue affects the Google Chrome browser on Android platforms prior to version 100..4896.60. This vulnerability permits a malicious entity to bypass the security checks implemented in the target system and execute arbitrary code, compromising the device's security and users' sensitive data.

Exploit Details

Typically, the WebOTP feature requires a user's consent to allow an app to read the OTP received in SMS messages. This process should also ensure validation checks to verify the authenticity and trustworthiness of the requesting application.

However, the vulnerability in question allows a malicious app to circumvent this consent mechanism and send arbitrary intents without validation. The following pseudocode represents a potential malicious attempt to abuse this vulnerability:

// Malicious app code execution
try {
   Intent webOTPIntent = new Intent("com.example.webotp.SEND_INTENT");
   webOTPIntent.putExtra("otp", "arbitrary_otp_value");
   webOTPIntent.putExtra("origin", maliciousAppPackageName);
   startActivity(webOTPIntent);
} catch (ActivityNotFoundException e) {
   // Handle the error
}

In the code above, the malicious app is sending an intent with arbitrary information to exploit the vulnerable version of Google Chrome on the target Android device.

Mitigation

Upgrading to Google Chrome version 100..4896.60 or later will prevent the exploitation of this vulnerability. Make sure to update the browser on Android devices to ensure security and privacy. Additionally, users should avoid installing untrusted apps from unverified sources.

Original References

1. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1130
2. Google Chrome Releases: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html

Conclusion

In conclusion, the CVE-2022-1130 vulnerability poses a significant threat to users running Google Chrome on Android devices prior to version 100..4896.60. Insufficient validation of trust input in WebOTP allows a remote attacker to send arbitrary intents from any app via a malicious app, potentially compromising users' security and sensitive information. It is essential to update Google Chrome to the latest version and be cautious when installing apps from unknown sources. Stay informed, stay safe!

Timeline

Published on: 07/23/2022 00:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC