Vulnerability Alert: Indeed app remote code execution vulnerability

Trustlook security research team have discovered the webview remote code execution vulnerability on the Indeed job search app, which is among the most popular job seeking apps with 10 million – 50 million installations.

Here is a Prove-of-Concept video:

This vulnerability affects the latest version on Indeed Job Search app. When a user opens the app under a compromised network, attackers could execute arbitrary code on the client phone by insert a small piece of Javascript in the HTTP traffic. For the rooted phones, attackers can do almost anything from remote, such as installing a APK from internet. Even on an unrooted phone, a successful exploitation could gain attacker access to the SD card and sensitive information.

We strongly recommend the users to open this app under a trusted network, before the vendor officially release a patch.

Jan 16: Vulnerability discovered on routined scanning on Google Play
Jan 16: Marked as “risky app” on Trustlook Antivirus.
Feb 12: Contacted vendor
Mar 6: No response from vendor. Disclose.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s