Several Android applications have been observed not invalidating or revalidating session cookies during app data transfers from one device to another.
According to a new advisory by CloudSEK researchers, this technique could allow an attacker to use a highly privileged device migration tool to move an application to a new Android device, causing migration issues.
“This means that someone with physical access to your unlocked device can copy app data to their device for a period of time and impersonate you and your account. You can use the application on your behalf without entering your login ID or password, ”the company wrote.
CloudSEK explained that certain applications such as WhatsApp also allow actors to bypass 2FA mechanisms. Security experts conducted an experiment using two Realme devices to verify the claims.
“This issue occurs when the private key used by WhatsApp is copied to the new phone. So on the WhatsApp side, these two devices are authenticated using the same credentials, so the They look the same.”
In an advisory, CloudSEK said it had reported the vulnerability to Meta, but Meta deemed it a social engineering scenario and dismissed it as a security issue. Information securityrequest for comment on this matter.
“[We] We tried to replicate the same method on Instagram, considering both are owned and operated by Meta, but Instagram logged out all accounts and required new logins,” CloudSEK revealed. .
Other popular apps that were unable to disable session cookies include Canva, Snapchat, Telegram, LinkedIn, Discord and Booking.com.
See Reservations for details. com-focused attack: API security flaw discovered at Booking.com allows complete account takeover
“Password-protecting your phone is essential to mitigating this threat,” warns CloudSEK. “If you can’t download an app yourself, don’t give your device to someone else to download it for you. Before granting access to an app, carefully check the permissions it needs and It’s important to revoke privileges once the task is complete.”
The recommendation comes a few weeks after Google announced a new policy for Android apps, mandating additional deletion options for both user accounts and the data associated with them.
