LG has patched two severe vulnerabilities that reside in the default keyboard on all mainstream LG smartphones, including its flagship handsets; the flaws could be used to remotely execute code with elevated privileges.
LG’s update also includes a fix for a critical Android issue, from Google.
The first issue has to do with the fact that LG’s keyboard supports handwriting modes in various languages. When a new language or an update for an existing one is installed, the device reaches out to a hardcoded server, from which it retrieves the requested language file or library. According to Check Point, which reported the flaws, the problem is that this download is done over an insecure HTTP connection, exposing it to man-in-the-middle attacks. A remote attacker could simply download a malicious file instead of the intended language file.
Link to full article
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.