A number of safety vulnerabilities have been disclosed in numerous purposes and system elements inside Xiaomi gadgets operating Android.
“The vulnerabilities in Xiaomi led to entry to arbitrary actions, receivers and companies with system privileges, theft of arbitrary recordsdata with system privileges, [and] disclosure of cellphone, settings and Xiaomi account information,” cell safety agency Oversecured stated in a report shared with The Hacker Information.
The 20 shortcomings affect totally different apps and elements like –
- Gallery (com.miui.gallery)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Telephone Companies (com.android.cellphone)
- Print Spooler (com.android.printspooler)
- Safety (com.miui.securitycenter)
- Safety Core Part (com.miui.securitycore)
- Settings (com.android.settings)
- ShareMe (com.xiaomi.midrop)
- System Tracing (com.android.traceur), and
- Xiaomi Cloud (com.miui.cloudservice)
Among the notable flaws embrace a shell command injection bug impacting the System Tracing app and flaws within the Settings app that would allow theft of arbitrary recordsdata in addition to leak details about Bluetooth gadgets, related Wi-Fi networks, and emergency contacts.
It is value noting that whereas Telephone Companies, Print Spooler, Settings, and System Tracing are respectable elements from the Android Open Supply Mission (AOSP), they’ve been modified by the Chinese language handset maker to include further performance, main to those flaws.
Additionally found is a reminiscence corruption flaw impacting the GetApps app, which, in flip, originates from an Android library known as LiveEventBus that Oversecured stated was reported to the undertaking maintainers over a yr in the past and stays unpatched up to now.
The Mi Video app has been discovered to make use of implicit intents to ship Xiaomi account data, equivalent to username and electronic mail deal with through broadcasts, which could possibly be intercepted by any third-party app put in on the gadgets utilizing its personal broadcast receivers.
Oversecured stated the problems have been reported to Xiaomi inside a span of 5 days from April 25 to April 30, 2024. Customers are suggested to use the most recent updates to mitigate in opposition to potential threats.
