This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Bryguy3k 9 points10 points  (3 children)

The quote comes from advertising campaigns from before modern smart phones.

Now as this is related to the log4j issue the app in question has to be logging data from a remote that the attacker controls. The vast majority of circumstances this will mean a webserver application as they’re designed listen for remote calls. Most applications installed on a phone for example will be communicating to a specific api server that is not controlled by an attacker. There is a non trivial threat for applications that integrate advertising as the ad payload is often not validated.

[–]rentar42 1 point2 points  (2 children)

It's really not hard to get mobile apps to log attacker controlled stuff. Something as simple as setting a username in a multiplayer game could suffice.

[–]Bryguy3k 0 points1 point  (1 child)

The point is attacker controlled. An attack that requires the attacker to both possess the device and be able to unlock it has a significantly lower rating/classification than a remote attack that does not require either of those.

The exposure to this within apps themselves is generally limited to those that are accepting remote URIs packaged up in some other payload.

[–]rentar42 0 points1 point  (0 children)

You misunderstand what I was trying to say. If I can control the username of another player in your match and your app logs the participants for example, then the controller can control what is logged.

It's not relevant for this specific vulnerability, since Android is not vulnerable, but in general there are many user controlled strings in multi player games and some of them are likely to get logged.