Android User Dictionary Provider Confused Deputy Vulnerability Allowing Privilege Escalation
Vulnerability
A vulnerability in the UserDictionaryProvider component of Android has been identified, allowing for a local elevation of privilege. This issue arises from a confused deputy problem, where certain functions in UserDictionaryProvider.java can be exploited to add or delete words in the user dictionary. Notably, this vulnerability does not require any additional execution privileges or user interaction for exploitation. It affects multiple Android versions, including 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in the user dictionary, potentially allowing malicious applications to manipulate user input or application behavior. More critically, this vulnerability could be exploited to gain elevated privileges, enabling access to restricted areas of the system or application.
Remediation
Users can update their devices to the June 2018 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.