Severe vulnerabilities have been publicly disclosed in the BlueStacks emulator which granted attackers a way to remotely execute code on vulnerable systems.
BlueStacks is a mobile and PC Android gaming platform. Catering to millions of users, the software is a free emulator backed by investors including Intel, AMD, Samsung, and Qualcomm.
In a recent security advisory, BlueStacks revealed the existence of a bug, CVE-2019-12936, which relates to problems with BlueStacks' IPC mechanism and an IPC interface which had no form of authentication enabled.
Issued a CVSS score of 7.1, the security flaw permits attackers to use DNS Rebinding -- the operation of a client-side script to turn a victim's browser into a proxy for attacks -- to gain access to the BlueStacks App Player IPC mechanism. All it takes is a visit to a malicious webpage.
The researcher who found and reported the vulnerability, Nick Cano, told Bleeping Computer that successful exploit of the bug can lead to the remote execution of code, information leaks, and the theft of data backups in the emulator.
In addition, Caro said that the flaw could be used to install APKs without authorization on the BlueStacks virtual machine.
The vulnerability is present in the 4.80 and below version of the BlueStacks App Player.
A patch has been developed to resolve the vulnerability and in version 4.90 and users can visit the BlueStacks website to install or update their software. It is also worth noting the fix will not be made available for version 2 or 3, and so it is recommended that users update their builds as soon as possible.
Previous and related coverage
- User data stolen from 'human hacking' forum Social Engineered, published on rival site
- Qualcomm Snapdragon 855 SPU snags smart card security certificate
- ICO slams UK Met Police for failure to handle public data requests
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0