CVE-2021-33057

Description

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

Related CPE's

a tencent qq 8.7.1 ****android **

a tencent qq 8.7.1 ****iphone_os **

References

https://arxiv.org/pdf/2205.15202.pdf

Technical DescriptionThird Party Advisory

https://tencent.com

Vendor Advisory

https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf

ExploitThird Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

Could not find any metrics

Created by Yello

About Severity.io