LG closes leaks in its own backup software that gives access to Dropbox data

Spread the love

LG closed leaks in its own SmartShare.Cloud application late last year, which allows users to manage backups. MWR Labs discovered the vulnerabilities and now reports that the LG G3, G4, and G5 were vulnerable and allowed access to Dropbox data.

It concerns two leaks, writes MWR Labs. The first allows an attacker on the same network as the victim to intercept an API call to Dropbox. If the attacker has knowledge of file or folder names, by modifying the request, he can make the folder or file shareable and thus gain access. The victim wouldn’t have to do anything for this and he wouldn’t notice it either.

According to the security company, this makes folders with obvious names such as ‘documents’ and ‘images’ easy to find. The second leak is related to the first and then allowed the attacker to query the files he knew by name without authentication. For this, the attacker also had to be present on the same network.

LG has implemented the patches in version 2.4.0 of the SmartShare.Cloud application by introducing encryption and signing and checking the origin and purpose of requests.

You might also like