qksms icon indicating copy to clipboard operation
qksms copied to clipboard

Published 20 hours ago verified publisher icon moezbhatti

vulnerability - theft of SMS code via screenshot

Open OmlineEditor opened this issue 1 year ago • 6 comments

DESCRIPTION

now many services require two-factor authentication, for this they send SMS codes. other programs that do not have access to SMS can intercept the code when the user opens the application and looks at what came for the SMS. any other application can easily take a screenshot and find out the code from the SMS.

STEPS

  1. the user uses the phone and the hacker application sees it
  2. the hacker sends a code to my number
  3. I get a text message
  4. I open the application QKSMS to view the message
  5. hacker application takes screenshots from waiting for a message to open with a code for theft

EXPECTED

in the application settings, you need to add the option to prohibit taking screenshots for QKSMS you can see how this is implemented in the application https://github.com/Kunzisoft/KeePassDX

OBSERVATIONS

currently there is no such setting to increase security.

OmlineEditor avatar Feb 17 '23 20:02 OmlineEditor

For better security:

  1. don't use SMS for messaging if you have alternatives
  2. never use it for 2FA if you have the chance.

Silther avatar Feb 23 '23 11:02 Silther

in our country, they require the use of SMS for the second factor and there are no alternatives for many applications and services at all.

OmlineEditor avatar Feb 23 '23 14:02 OmlineEditor

I'm fairly sure any app cannot simply "take a screenshot." They need certain permissions, I believe including "Display over other apps" and/or Accessibility permissions. Of course, this could be accomplished even more easily with the "Manage SMS" or "Read notifications" permissions.

So, why are you granting these high-level permissions to apps you think are going to steal, of all things, your one-time 2FA codes?

Android has all the built-in security necessary to avoid this issue. If you're handing out app permissions and opening up new vulnerabilities, that's a user choice.

e-t-l avatar Mar 03 '23 17:03 e-t-l

To access a screenshot of the screen, no permissions are required at all. Over windows is not required, the vulnerability problem remains. Android now has no protection against interception of images from the screen through a screenshot, I tested it on the application by recording the screen.

OmlineEditor avatar Mar 04 '23 17:03 OmlineEditor

Good news is, that's not true. Screen recording is a built-in android function; it's not something any old app can do. It requires certain permissions. You can read more about it here: https://source.android.com/docs/core/permissions/restricted-screen-reading The bottom line remains, don't grant extensive privileges to untrusted apps.

e-t-l avatar Mar 04 '23 18:03 e-t-l

The bad news is that this is only from the 10th version of android. Up to and including version 9, any application can access the screen. A lot of devices have an android version up to and including 9. The vulnerability remains, it is better to fix it. Moreover, many users are inexperienced and do not understand which permissions can be given and which are not.

OmlineEditor avatar Mar 05 '23 17:03 OmlineEditor