Xiaomi is already infamous for pushing ads through its MIUI operating-system but these days the firm’s software and apps happen to be found to acquire vulnerabilities. Now, a different flaw has been discovered during the lock screen implementation of your latest MIUI versions which may give an assailant accessibility to user’s clipboard data. The main problem is claimed specifically to India region and exists not just on Redmi and Mi smartphones but also around the Poco F1. The vulnerability requires physical accessibility device to grant a backdoor permission to access the clipboard data and partial usage of user’s stored advertising and marketing credentials. Xiaomi has released a current version of its Mi Wallpaper Carousel app inside Play Store who has patched the vulnerability.
Security researcher Arif Khan on infosec blog Andmp reports how the latest MIUI stable releases suffer from a vulnerability that may give an opponent capability to connect to the Xiaomi phone’s clipboard. Sixty supposedly specific to India region, it exists on all of the recent MIUI builds. The flaw is said as being a part of the Wallpaper Carousel feature that Xiaomi gives in collaboration with InMobi — through its Glance app.
The Wallpaper Carousel feature was created to frequently showcase new wallpapers to the lock screen. Each one of the wallpapers presented on the lock screen carries a title and a Read More button that allows you to look at context within the image. The vulnerability primarily exists inside context the main feature the way it lets users share the featured content through their social media accounts without unlocking the extender. And also this includes to be able to paste data right from the clipboard. Similarly, users can add data to their clipboard direct in the content being served over the Wallpaper Carousel feature.
While the Wallpaper Carousel feature is disabled automagically, anyone who has physical accessibility to the device can enable it completely from the lock screen — by simply swiping the screen and then tapping the Turn on button.
Xiaomi’s Mi Wallpaper Carousel app was found to have a lock screen vulnerability
Photo Credit: Andmp
We were able to verify the existence of the flaw on our Poco F1 unit running the newest MIUI 10.3.4.0 version. The researcher claims he found the vulnerability on a device based upon MIUI 10.1.3.0. This suggests that your issue isn’t confined to any specific MIUI version as well as being available but not only on some Xiaomi’s Redmi and Mi phones but also about the Poco F1 that runs a modified MIUI build.
After the initial media reports with regards to the vulnerability surfaced, Xiaomi has released an updated sort of the Mi Wallpaper Carousel app on-line Play, which plugs the vulnerability, restricting accessibility to the clipboard along with social network accounts. If you use a Xiaomi smartphone, our recommendation is that you update the Mi Wallpaper Carousel app with your phone.
We’ve reached seem to Xiaomi for additional information on the vulnerability all of which will update this report after we hear back through the company.
Importantly, it isn’t really the very first time when Xiaomi has hit the headlines over the security flaw within the apps or software. Just earlier this year, the security app Xiaomi Guard Provider, links pre-installed for the Xiaomi phones, is discovered using a serious vulnerability that will allow an assailant to wreak havoc by intercepting the traffic linked to the app. The Mi Browser and Mint Browser from the Chinese company were also found to possess a critical URL spoofing security issue.
Xiaomi also faces consumer outage over the way it serves ads through different MIUI elements. Xiaomi CEO Lei Jun earlier this year revealed that MIUI 11 would restrict ads to a certain degree and take off vulgar ads.
Do Redmi Note 7 Pro, Redmi Note 7, and Mi Soundbar redefine their price segments? We discussed this on Orbital, our weekly technology podcast, which you may sign up for via Apple Podcasts or RSS, download the episode, or simply just hit the play button below.