Vulnerabilities Summary
Android 8.1 has introduced the new feature of a default printing service. This service, based on the very similar, freely available Mopria Alliance Print Service on the Google Play Store, suffers from a lack of validation which can lead to both man in the middle attacks and subsequent interception of print jobs, as well as an issue that results in potentially unsafe printing devices to be used without any sort of warning or confirmation.
Credit
An independent security researcher, Matt Parnell, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Affected systems
Android 8.1 Default Printing Service
Vendor Response
“The Android Security Team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin. If you have additional information that you believe we should use to reassess this report, please let us know.
The Resolution Notes label has been set to NSBC (Not Security Bulletin Class) to reflect this assessment.”
(more…)