Wind Vision Android App: Customer data at risk from hackers! Security vulnerabilities are found in Wind Vision Android Application a service from telecommunications provider Wind Hellas. Security errors in the application allow the violation of legitimate user accounts as well as the theft of passwords and other accounts.
According to confidential information from a SecNews user who sent an anonymous message with anonymity, the implementation of Wind Hellas is a danger for hundreds of Greek citizens who have the subscription service and use it on their personal devices. Four (4) critical vulnerabilities have already been identified in the application and while as of November 14, 2020, Wind Hellas became aware, there was no official response / announcement or information if and when the security issue was resolved.
Wind Vision is a digital TV service offered by WIND Hellas, a Greek telecommunications provider that allows the flow of digital content. Wind Vision mobile application, available for devices Android and iOS, allows users to watch TV "on the go" from smartphone their devices.
The Wind Vision Android app is available on the Google Play Store. The latest available version of the application (10.0.16) was found to be vulnerable to four security issues. Vulnerabilities could be combined to create a chain of attacks that would allow a malicious application orchestrated by hackers to break into a user victim account.
By hacking a legitimate account, the malicious user (hacker) could proceed to downloading and watching television content abusing the victim's assistance. Also, the hacker has the ability to block access to the legal subscriber in the application by changing the PIN code and replacing the registered devices. As a result, thousands of legitimate users can be out of reach and lose all the money they have paid for their subscription. It is worth mentioning that the malicious user exploiting the violated accounts financially, may sell at Dark Web all passwords.
The SecNews team should warn you of the greatest risk of a potential sale of stolen passwords from the Wind Vision Android Application. Specifically, those legal users who have chosen someone as the password of the subscription service Password already used in other services, government platforms (www.efka.gov.gr) social networking accounts (Facebook, Instagram, Twitter, TikTok etc.) but also electronic banking services (internet banking) There is a high risk of breach of these services in the event of a common password. Be very careful, if you have the Wind Vision Android Application to change your passwords immediately as well as in any other account you use common credentials.
Wind's IPTV infrastructure used Zappware's "Nexx4" solution. Zappware's cross-platform solutions for DVB, IPTV and OTT services are used by telecommunications providers operating in many countries, including Wind Hellas. Some of the providers are:
- A1 Croatia
- A1 Bulgaria
- A1 Slovenia
- Orange Belgium
- A1 Austria
- Trinidad and Tobago / Caribbean Amplia
Because issues with Wind Vision have affected Zappware software, millions of users worldwide may be at risk.
Although Zappware has been contacted several times in recent months (20/11/2020, 30/11/2020 and 22/12/2020) that the Wind Vision Android application has not been updated to include appropriate updates on the vulnerabilities discovered, The security gaps It is not known if they have been corrected at the time of writing.
Serious security issues, such as those with Wind Vision Android, need to be fixed. and priority should be given to developing new features to protect the privacy of users and protect their accounts.
To emphasize that the vulnerabilities were responsibly disclosed to Zappware and Wind Hellas by the security researcher who identified the vulnerability, providing detailed recovery instructions and recommendations to assist in the repair process.
Technical description of security gaps
The following section provides a brief overview of the vulnerabilities discovered as well as some technical details.
CVE-2021-22268: Insecure Authentication
Wind Vision provided user authentication via Oauth2 "Authorization Code" flow using a web browser (web browser). The selected user authentication method was not secure as the assigned code could be intercepted by third party applications and exchanged for a valid session token. This issue, in combination with the URL breach described below, allows the victim account to be retrieved after the user is initially deceived (usually via social engineering) to click on the wrong operator application.
CVE-2021-22269: PIN Code Leakage
The "master PIN code" required by the application in order to define certain settings, leaked during the communication of the application with the servers (server communications). Therefore, it is possible to stop the interception of the four-digit code by analyzing the network traffic, as the application was not found to use certificate pinning.
CVE-2021-22270: URL Hijacking
The Wind Vision application made unsafe use of the URL-scheme Inter-Process Communication (IPC) mechanism offered by the Android operating system. Deep Link implementation is prone to “URL Hijacking, An attack that allows third-party malware to launch or steal sensitive data, tricking the user into accepting the wrong "handler" for a registered URL scheme.
CVE-2021-22268: Reproduceable Device ID
Wind Vision users can register a number of devices to their subscription, which are then tracked according to the Device ID generated locally. However, this creation process is easy, as it does not use random order. As a result, a valid device ID could be re-created from third-party applications running on the same device. If such malicious applications also maintain one valid session token, then could issue valid requests against the Wind Vision server that has access to all users' functions, including streaming TV content.
As other vulnerabilities were discovered (CVE-2021-22270, CVE-2021-22268) they could log in to obtain a session token, combining exploiting this security vulnerability leading to breach of Wind Vision accounts.
SecNews publishes this article to inform the public about such a serious security issue and to warn those users who may be at risk. We guess that because the Zappware platform is third party, Wind should require immediate repair from the vendor (vendor patch) if the vulnerability is valid as of the time these lines are written.
Being a purely journalistic and informative website, our main goal is to immediately inform our users about key issues related to cyber security.
Note that security vulnerabilities were discovered after an independent investigation by Leonida Tsaousi (@laripping) of F-Secure Consulting.
*Disclaimer: SecNews confirmed the reliability of the source. The investigation regarding the vulnerability has been carried out by the security expert Leonidas Tsaousis and SecNews bears no responsibility for possible differences or configurations made after the publication of this article.
SecNews publishes the article on the protection of personal data of our readers and the wider society.
In addition, SecNews's goal is to inform the company about the publication on a foreign website of the weakness in order to make the necessary corrective actions (to the provider of the Zappware platform) if it has not been done so far.