Newfound security hole in the LG G3 made user data on it prone to intruders

If you're still rocking the LG G3 (pretty much the best Quad-HD smartphone $270 can buy), you might have been bugged about installing a Smart Notice patch recently. Smart Notice is a service that shows recent notifications in the form of cards, similar in style to Google Now. It is enabled by default on LG devices.

Thus, you might have given it a shot and liked it, or disabled it completely on your LG G3. Whatever the case is, you should know that LG released this patch to close a serious vulnerability in the service. It was discovered by Israeli cyber security firm BugSec, which affectionately called it "SNAP".

SNAP lets potential attackers execute arbitrary code and wreak havok such as stealing private data, pull off phishing scams, and crash the operating system. The root cause of the problem is that Smart Notice does not "validate" user-submitted data. Users of vulnerable devices only need to save an infected notification message to get, in the researchers's words, "pwned". Affected users would receive no warning or other signs that something awful has happened.

According to the source, the vulnerability is only present on the LG G3 at the moment, although Smart Notice is also found in the LG G4 and other recent LG handsets. So, if you receive an updated version of the app, you'll know what's up.

The researches at BugSec say they don't know of any cases in which the vulnerability has been exploited, be it by attackers or malware scripts. However, they do insist that the vulnerability is not merely theoretical, and the fact that LG patched up Smart Notice so soon after having it brought to their attention lends it enough credibility by itself.

If you would like to learn more, watch the video below, prepared by BugSec and Cynet.

source: BugSec via The Register