We teach you

How Microsoft Account two-step verification works

Here we go again

Dropbox accounts hacked, service not to blame for leak

Hypothetical threat watch

New malware exploits USB, but isn't really that scary

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update

Editorials

Using strong passwords and keeping your online self secure

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS

Windows

Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

Microsoft News

Microsoft Store giving away $100 credit; simply trade up your Windows XP dinosaur (US and Canada Only)

Microsoft News

Microsoft says it's really time to dump Windows XP thru this clever infograph

Editorials

So, you want to adopt BYOD?

Microsoft News

From a Bill Gates memo to an industry practice: The story of Security Development Lifecycle

< >
36

Windows Phone Store permissions flaw patched by Microsoft, allowed apps to access photos

The Windows Phone Store received a bug fix recently, closing a hole that allowed developers to publish applications that can access a user’s photo library without their permission. The quirk was originally brought to our attention by developer Al Gihuni, who makes the popular Sound Cloud app SoundClone for Windows Phone (don't worry, that app is safe).

Gihuni demonstrated this quirk for us by submitting a test app to the Store –  seen in this article's images –  that required three capabilities: access to your photo library, phone identity, and owner identity. After passing through Microsoft’s certification processes, we opened up the Store app and navigated to the app listing. The listing only indicated the app needed phone and owner identity access, with no mention of access to the photo library.


Test app 'TicTacHum' walks us through the flaw

A deep dive into the app’s XAP and source code revealed no tricks, like obfuscation, were involved. In fact, we were able to reproduce the issue with our own simple submission. It's important to note, however, the app did not exploit a flaw in the underlying operating system. It properly indicated via its app manifest that photo library access was required. But this information wasn't surfaced to the user making the final install call. And that's where we have an issue.

With the Store being the only place for users to evaluate an application’s permission set, these kinds of issues can be dangerous. A rogue actor, for example, could pass a clone of Flappy Birds through the Store and quietly access a user’s photo library, collecting and uploading the photos to a remote server. Photo leaks are especially dangerous, as they often contain rich metadata, such as location info.


'TicTacHum' has access to our photos, though we didn't agree to that

As far as we know, an app exploiting this flaw never made it to the Store. And as of today, we can say that this flaw has been patched, after we raised the issue with Microsoft late last week.

0
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Windows Phone Store permissions flaw patched by Microsoft, allowed apps to access photos

36 Comments

No, your name is harsh. Telling dinosaurs that they can only live once... Have you seen Jurassic Park? Try telling them they only live once. :P (sorry for the off-topicness, and I don't have any potatoes. :/)

By viewing this comment, you agree to share your location and appointments* with all members of this forum ⬜yes? ⬛no? . . . . . . .
. . .
. . .
. . .
. . .
. . .
. . .
*and photos :P

Wait so apps with "access to photo library" can actually upload your private photos to the app developer if he would like to do that ?
I though this access was for uploading through user action or saving images through the app only !

Safe? It's safer since there aren't as many permissions apps can ask for compared to Android and developers have less opportunities to do stupid things that can impact your privacy or the stability and performance of your device.

But if you grant an app access to something it can ask for it will of course get access. As always, apply some common sense before installing apps.

Thanks Rafael and Danel. I'm happy this one finally worked. I've contacted them in the past privately, but they didn't hear me. This is a good end for the story

I imagine that if they had for example taken all of my 1020's albums at once, that my phone would have shown at least a bit of lag??

Its very annoying when apps needs absurd requirements. There are for example simple flashlight apps that needs all the requirements they can access from you. For that reason i stick to official apps from well known devs and only the necessary apps. Some of us concern about our privacy.

They don't get open access to the gallery tho do they? Aren't images selected through the image picker and the api's?

This article is just a big big big big bullshit! The underlying issue has NOT been addressed, its just know MS has made some cosmetic change so they can wash their hands when somedy wants to sue them due to leaked personal photos.

Let me ask all readers: if you realized that an app can access all your photo gallery, all your private sms (including online banking passwords / your bank account balance), all your contacts, all your media list etc. WTF can you do against it? Not install that particular app? Really? Illusion of choice my friends, just illusion. As all the official apps (Skype, Facebook etc.) have access to all content stored on your phone. And you grant this access happily and voluentarily. Because its so well hidden on the application page. Location access is 1 thing, thats properly emphasized for every app download. But what about the other 10-20 access permissions? Those disgusting lawyers were paid a sh*tload of money, to carefully obfuscate the jargon text into those Terms&conditions pages, as a result MS (Apple, Google, and all their friends) can wash their hands. Honestly, can you find out from that lawyer-written Terms&Conditions document, whether the app developer is allowed fetch all your photo via his app in complete secret, or by law you have to be notified for this stealth activity? You see, you cannot find out, no matter how many times you read that stupid text. So can you really do the educated choice, even if you consider yourself well prepared and read that text? Of course not. Illusion of the choice.

All the stupid (=average) smartphone user should be educated, that there is no such free software on the smartphone. If you download that stupid free game, I bet it will ask for your: location, contacts, owner info, pictures, media library, etc. Would you voluntarily share your photos with a random person walking on the street? Because thats what happens in the background (surely, cleverly hidden from your eyes in the background on your phone , good job, everybody can thank this to the smartphone vendors for this!).

Whoa, whoa! Slow down, tiger! You bring up good points, but bury them in the tldr. Also, only a dumbass would send financial passwords via SMS. I've always had to configure mobile banking either through my bank's app, or a secure web page.

You obviously havent heard about netbanking 2-factor authentication via One-time-password sent in SMS.