CVE-2020-0415

Vulnerability

In various locations of SystemUI in Android versions 8.0, 8.1, 9, 10, and 11, there exists a permission bypass due to an unsafe PendingIntent [1]. This flaw allows an application to access contact data without the required permissions, as the PendingIntent can be misused to bypass the permission check [1]. The issue is present in the core user interface system component.

Exploitation

The attacker requires local access (User execution privileges) but no user interaction is needed for exploitation [1]. The vulnerability can be triggered by a malicious application that invokes the unsafe PendingIntent from SystemUI, thereby gaining access to contact data without proper authorization [1]. No network access or special timing window is required.

Impact

Successful exploitation leads to local information disclosure of contact data [1]. The attacker gains access to the user's contacts without the necessary permissions, potentially exposing sensitive personal information. The compromise is limited to contact data and does not escalate to root or system-level access.

Mitigation

Google released a fix in the Android Security Bulletin for October 2020, with patch level 2020-10-05 or later [1]. Users should install the Android security update for their device. No workaround is available for unpatched devices, but the vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.