LG issues security patch for the LG G3 to address critical vulnerability


LG G3 Unboxing

LG has released a security patch for the 2 year old LG G3 flagship smartphone. The update addresses a serious flaw that could potentially allow attackers to to run arbitrary JavaScript code on an estimated 10 million vulnerable devices.

The vulnerability, dubbed ‘SNAP’ by researchers from security firms BugSec Group and Cynet, was found in LG Smart Notice, an app that is preinstalled on all LG G3 handsets and is responsible for displaying suggestions, related notifications and reminders, much like Google Now. The researchers uncovered that, under certain circumstances the app would fail to validate user data and would thus allow attackers to potentially forge notifications, allowing the injection and execution of unauthenticated code to manipulate and steal sensitive information even from a mounted SD card.

Using the vulnerability, an attacker can easily open the user device to data theft attack, extracting private information saved on the SD Card including WhatsApp data and private images; put the user in danger of phishing attack by misleading the end-user; and enable the installation of a malicious program on the device.

LG was quickly informed and subsequently released a bug-fixing patch for all LG G3 smartphones. Affected handsets should see an update notification pop-up in the next couple of days.

via Arstechnica