Dolphin Browser for Android | Security Research Advisory | VerSprite Dolphin Browser for Android | Security Research Advisory | VerSprite

Home  |  Research  |  Resources  |  Advisories  |  Dolphin Browser for Android

Dolphin Browser for Android

Arbitrary File Write

CVE ID

CVE-2017-17551

VENDOR

Mobotap

PRODUCT

Dolphin Browser for Android

Product version

< 12.0.2

Vulnerability Details

The Backup and Restore feature in Mobotap's Dolphin Browser for Android 12.0.2, suffers from an arbitrary file write vulnerability when attempting to restore browser settings from a malicious Dolphin Browser backup file. This arbitrary file write vulnerability, allows an attacker to overwrite a specific executable in the Dolphin Browser's data directory with a crafted malicious executable. Every time the Dolphin Browser is launched, it will attempt to run the malicious executable from disk, thus executing the attacker's code.

Vendor response

Mobotap has not issued a reponse nor an update to remediate this vulnerability.

Disclosure timeline

2017-11-28 - Reached out on Twitter and asked to speak with someone who is responsible for product security
2017-12-04 - Emailed requesting to speak with someone who can address security issues in the Dolphin Browser for Android, no response
2017-12-07 - Emailed to verify initial email was received, no response
2017-12-10 - Emailed to inform the public release of an advisory, CC'ed [email protected] and received a bounce on the email address
2017-12-11 - Public zero day release of advisory

Offensive Minded Security Exploit Development

We are an international squad of professionals working as one.

logos