David Wells at Tenable Research recently discovered a critical security vulnerability in MXPlayer an Indian video player app and OTT platform. The platform’s penetration in the market can be gauged by the fact that it has over 500M downloads on Google Play. The app originally was only a media file player but after being acquired by Times Internet it became a free online content streaming platform.
The app makes it to the list of most used video streaming platform in India and that is more so the reason of concern with the finding of the vulnerability. The issue is not in the video streaming service but the MX Transfer feature that the app provides for wireless transfer of media content. According to Wells, this video sharing feature is a direct phone-to-phone file sharing feature which had a path traversal vulnerability in it.
According to the report, “MX Player transfers video files between two phones by setting one of the phones (“receiver”) into hotspot mode, while the other phone (“sender”) authenticates via shared password and sends the video over this connection. When the receiver puts their phone in “Hotspot” mode, the password for this Hotspot is base64 encoded and broadcasted publicly as a discoverable bluetooth device. This means if an attacker is within the receiver’s bluetooth range, the password to the phone’s Hotspot can be compromised”. This is known as ‘Remote code execution vulnerability’.
Since MX Players file transfer protocol allows multiple files to be transferred in a single session it offers a gateway for the interloper to barge in and transfer files that carries malware payload. These files or applications can be controlled remotely and can be used to install other files, snoop or steal private files stored on the device and send them to remote servers belonging to the hackers.
This test was performed using Android smartphones Pixel 3 and Pixel 3 XL. However, it was not disclosed whether the iOS version of MXPlayer was vulnerable to remote code exploit or not.
Very little vendor communication on patch progress and updates was received from MXPlayer when the security research firm disclosed the vulnerability issue to them. Although later on the path traversal issue was found fixed in the v1.24.5 update released on July 6.
It is advisable that all those who gave MXPlayer installed in their phones to update it manually to the latest version available ASAP.
We’re hiring!
We are hiring two full-time junior to mid-level writers with the option to work remotely. You need to work a 5-hour shift and be available to write. Interested candidates should email their sample articles to [email protected]. Applications without a sample article will not be considered.