Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It isn't an Hangouts app issue, that is just a one attack vector.

It is/was an issue in Stagefright.

Details of CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 probably available soon?



So the Hangouts bit is just about triggering the problem without user intervention? If an attacker can find another way to get you to play a malicious video, there's still a hole? That's clearly more serious.


It just requires opening the video. The average user will probably open a video from an unknown sender without thinking twice because why would a video message hack their phone. I would imagine given that it controls phones it would also be possible to make a worm from this that resends the video to everyone in the contact list.


From the article, it sounds like they only need to open the text message: they don't need to actually play the video, even in the stock MMS app.

In my experience, people will open a message just to clear the notification and that's all that it would take for them to be compromised.


What about video in browser? It seems like video is replacing gif everywhere and those autoplay. I've seen websites that have video as backgrounds. Wouldn't stagefright handle those videos also?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: