'Snap' data theft vulnerability leaves LG G3 owners at risk

Security researchers have discovered a vulnerability in LG G3 smartphones which could be exploited to run arbitrary JavaScript to steal data. The issue has been named Snap, and was discovered by Israeli security firms BugSec and Cynet.

What is particularly concerning about Snap is that it affects the Smart Notice which is installed on all LG G3s by default. By embedding malicious script in a contact, it is possible to use WebView to run server side code via JavaScript. If exploited, the vulnerability could be used to gather information from SD cards, steal data from the likes of WhatsApp, and steal private photos.

Researchers identified a number of possible attack vectors, including asking a victim to scan a QR code, or sending a fake contact via WhatsApp or MMS. Liran Segal and Shachar Korot, who discovered the vulnerability, say they contacted LG and the company responded quickly by updating Smart Notice with a patch. The onus is on G3 owners to install the update

In a blog post, Cynet says: "The root cause for the security problem is the fact that Smart Notice does not validate the data presented to the users. Data can be taken from the phone contacts and manipulated. The attack can take place in several ways due to functionality issues of the Smart Notice application. The application pops notifications (named 'cards') in each of these scenarios:

  • Favourite contact notification – Recommends you keep in touch with favourite contacts.
  • New contact suggestion – Suggests saving a caller number.
  • Callback reminder – Reminder to callback a contact after declining the call.
  • Birthday notification – Reminder about contact birthday.
  • Memo reminder – Provides notifications about user memos."

The video above from BugSec Group shows how the vulnerability can be exploited.