September 9, 2022
CVE - 2022 - 20340 - Android OS user activity information disclosure via side-channel vulnerability
Description
In SELinux policy, there is a possible way of inferring which websites are being opened in the browser due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation
Exploitation
The vulnerability was discovered as part of a research about side-channel vulnerabilities through Android NDK / libc functions.
More details are available at the following URL: https://arxiv.org/pdf/2204.05911.pdf”>https://arxiv.org/pdf/2204.05911.pdf
More details are available at the following URL: https://arxiv.org/pdf/2204.05911.pdf”>https://arxiv.org/pdf/2204.05911.pdf
Impact
By exploiting the vulnerability, it would be possible to infer, under certain conditions, the websites accessed using a browser on a specific Android device
Remediation
To fix the vulnerability, it is necessary to update the Android OS to Android 13.
Credits
Valerio Brussani (@valbrux) — NoZero