Mobile app empire Cheetah Mobile not only makes terrible software, but has even found its products ejected from the Play Store on occasion for breaking rules. If you somehow need more reasons not to use apps from the company, one developer has discovered that some applications, including CM Launcher, store data in an unsecured cloud storage bucket.
Developer Till Kottmann tore apart the APK for CM Launcher 3D on Twitter, and among some sketchy calls to random servers, it was discovered that CM Launcher stores themes, icons, wallpapers, and other installable data in an unsecured Amazon AWS bucket.
Wait holy shit, their bucket actually allows anyone to write to it.https://t.co/a0zMjBXMHC
This is a HUGE security risk, CM Launcher loads all theme screenshots and wallpapers from there and the bucket seems to be shared with other CM Products as well. https://t.co/LTTaLotFyF
— Till Kottmann (@deletescape) May 21, 2019
In layman's terms, anyone can upload data to the server that CM Launcher and other Cheetah apps download data from. As Till described on Twitter, someone could easily modify the stored data to cause CM Launcher to crash, or worse.
@CraigSilverman @zackwhittaker @hallstephenj @ArtemR Cheetah Mobile asset server allows anyone to upload anything. This would allow a threat actor to break CM Launcher 3D in a few clicks by replacing JSON files they try to parse inside the app. This also further shows CM has
— Till Kottmann (@deletescape) May 21, 2019
I'm sure Cheetah Mobile will fix thi.... nevermind, I can't even finish that sentence. Ya'll know just as well as I do that Cheetah doesn't give a 💩.
Comments