CVE-2020-9754

Vulnerability

NAVER Whale browser mobile app versions prior to 1.10.6.2 contain a security bypass vulnerability. The browser unlock function, which is intended to prevent unauthorized access to the browser content, can be circumvented by switching to incognito mode. This allows an attacker to access the browser without providing the required unlock credentials. [1]

Exploitation

An attacker with physical access to the unlocked device can launch the Whale browser and select incognito mode. No additional authentication or special privileges are required beyond the ability to interact with the app. The browser unlock mechanism is not enforced when the browser is in incognito mode, enabling direct access to browsing sessions. [1]

Impact

Successful exploitation allows an attacker to view the user's browsing history, open tabs, and potentially access websites that the user was viewing, bypassing the intended security boundary provided by the browser unlock feature. The confidentiality of browsing data is compromised, although the attack requires the device screen to be unlocked. [1]

Mitigation

NAVER addressed this vulnerability in Whale browser mobile version 1.10.6.2. Users should update to this version or later from the official app store. No workaround is available for versions prior to the fix. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities Catalog. [1]