Vulnerability Abstract

Title: Vulnerability in WBlog and MicroBlogPad (腾讯微博) for Android
Time: 29 Dec 2011
Author: Daoyuan Wu*, Xiapu Luo* and Rocky K. C. Chang
Department of Computing, The Hong Kong Polytechnic University, Hong Kong
* authors with equal contributions
CVE ID: CVE-2011-4865
Category: Newly Confirmed
Related Vendor: Tencent, Inc.

Application Information

Archive Time: December 29, 2011 at 2:51 PM HKT
Package Name: com.tencent.WBlog
Full Name: WBlog ("腾讯微博" in Chinese name) || MicroBlogPad ("腾讯微博HD" in Chinese name)
Affected Version: 3.3.1 (the latest version in 29 Dec 2011) || 1.4.0 (the latest version in 29 Dec 2011)
Package Installs: 100,000 - 500,000 || 1,000 - 5,000
Market Link: https://market.android.com/details?id=com.tencent.WBlog
Update Log: 1.4.0 and 1.5 of com.tencent.microblog also have this vulnerability!

Vulnerability Details

Status: Breif impact description now releases to public.
Breif Description: Allow a malicious application to access and manipulate user’s private information (e.g., account, draft message, search keyword and etc.) protected by WBlog.

Vendor Response

Contact Time: Dec 31, 2011 at 2:47 PM HKT
Confirm Time: Dec 31, 2011 at 6:08 PM HKT
Patched Time: They didn't notied us about detailed patch time and version.
Patched Status: We've checked version 3.4.1 of com.tencent.WBlog, which has patched the vulnerability. While the latest version of com.tencent.microblog in Mar 16 2012, 1.5, still has this vulnerability!

Important Notes

Although we only mention one or several affected version in our report, other versions may also be vulnerable, e.g. lower version, pad version or paid version.

Related Vulnerabilities