Due to a race condition check, an app may display an IME window with its height set to 0 if another app with a higher priority set is already showing such a window. If a user opens an app with an IME such as Hangouts or SMS while another app with a higher priority is already displaying an IME window, the app with the higher priority will take precedence and get the full screen display of its window. By setting the priority of an app to a very high value, such as 10 or above, and by manipulating the window height to be 0, the app may be able to take over the full display of the other app’s window. This is possible due to the race condition check of the getInputMethodWindowVisibleHeight() function. As shown in the getInputMethodWindowVisibleHeight race condition, there is a check to see if another app is already displaying a window with a height of 0. If another app is already displaying such a window, getInputMethodWindowVisibleHeight() will return false, preventing the app from setting its height to 0. As a result, the app will not be able to take over the full display of the other app’s window.
CVE-2023-20453
An application may be able to circumvent the permission system on Android by checking for the presence of a specific permission and then using that permission if it has not been granted. If an app checks for a permission and then uses that permission if it is not granted, it could allow the app to access restricted capabilities without being properly authenticated.
CVE-2022-20395
If an app's priority is set to a very high value and the window height is set to 0, it may be able to take over the full display of another app’s window.
This issue is due to a race condition check in getInputMethodWindowVisibleHeight().
Timeline
Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/13/2022 02:42:00 UTC