| Title: |
Vulnerability in WBlog and MicroBlogPad (腾讯微博) for Android |
| Time: |
29 Dec 2011 |
| Author: |
Daoyuan Wu*, Xiapu Luo* and Rocky K. C. Chang |
|
Department of Computing, The Hong Kong Polytechnic University, Hong Kong |
|
* authors with equal contributions |
| CVE ID: |
CVE-2011-4865 |
| Category: |
Newly Confirmed
|
| Related Vendor: |
Tencent, Inc. |
| Archive Time: |
December 29, 2011 at 2:51 PM HKT |
| Package Name: |
com.tencent.WBlog |
| Full Name: |
WBlog ("腾讯微博" in Chinese name) || MicroBlogPad ("腾讯微博HD" in Chinese name) |
| Affected Version: |
3.3.1 (the latest version in 29 Dec 2011) || 1.4.0 (the latest version in 29 Dec 2011) |
| Package Installs: |
100,000 - 500,000 || 1,000 - 5,000 |
| Market Link: |
https://market.android.com/details?id=com.tencent.WBlog |
| Update Log: |
1.4.0 and 1.5 of com.tencent.microblog also have this vulnerability! |
| Status: |
Breif impact description now releases to public.
|
| Breif Description: |
Allow a malicious application to access and manipulate user’s private information (e.g., account, draft message, search keyword and etc.) protected by WBlog. |
| Contact Time: |
Dec 31, 2011 at 2:47 PM HKT
|
| Confirm Time: |
Dec 31, 2011 at 6:08 PM HKT |
| Patched Time: |
They didn't notied us about detailed patch time and version. |
| Patched Status: |
We've checked version 3.4.1 of com.tencent.WBlog, which has patched the vulnerability. While the latest version of com.tencent.microblog in Mar 16 2012, 1.5, still has this vulnerability! |
Although we only mention one or several affected version in our report, other versions may also be vulnerable, e.g. lower version, pad version or paid version.