Screenshot Vulnerability in ASUS ZenFone 3 Max Android Device by ASUS
CVE-2018-14980

7.1HIGH

Key Information:

Vendor: Asus
Status: Zenfone 3 Max Firmware
Vendor: CVE Published:; 25 April 2019

Summary

The ASUS ZenFone 3 Max Android device features an improper access control vulnerability in the system_server process, allowing malicious applications to capture screenshots without user consent. This exploit can be triggered by any co-located app, enabling it to initiate a screenshot operation and save the image to external storage. Additionally, if the attacking app obtains EXPAND_STATUS_BAR permission, it can manipulate the device to wake it up, revealing sensitive notifications, including two-factor authentication messages, even if the device is locked. The core android framework's inability to disable this process highlights a significant security concern, as it exposes users to potential information leakage and misuse of their private data.

References

https://www.kryptowire.com/portal/android-firmware-defcon...

x_refsource_MISC

https://www.kryptowire.com

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2019
Vulnerability Reserved
Aug 5, 2018