MX Player bug allowed hackers to access the device remotely, now fixed
The video streaming player, which was acquired by Times Internet in 2018 and raised millions from Chinese firm Tencent last year, is now found with a flaw.
There's no doubt that video streaming stats have gone up in almost every way during this pandemic as millions of us are sitting at homes and finishing those seasons one after another. One of the services that is taking advantage of it is MX Player. The video streaming player, which was acquired by Times Internet in 2018 and raised millions from Chinese firm Tencent last year, is now found with a flaw that would let a hacker snoop into your smartphone remotely. The flaw, as mentioned by Tenable, was found in the company's Android app, which is already there in millions of smartphones in India.
As per the report, the hacker can attack the device featuring MX Player when is it waiting to receive a new file through its file transfer feature. “In this scenario, a path traversal vulnerability could be exploited and, on certain devices, achieve code execution through specially crafted files. Additionally, because MX Player's transfer service password is openly shared as a Bluetooth device name, an unauthenticated attacker within Bluetooth range could also exploit this flaw,” stated the Tenable Research report.
For what's worth Tenable has already informed MX Player about the vulnerability and the company has reportedly acknowledged it as well in the version 1.24.5 of the mobile app. “During disclosure with MX Player, we received very little vendor communication on patch progress and updates. During our occasional testing of versions, we discovered that the path traversal issue was fixed in the v1.24.5 release,” stated David Wells in the Tenable tech blog on Medium.
At the time of writing, MX Player already 500 million installs on Google Play Store.