Researcher finds MIUI lock screen authentication vulnerability leading to sensitive information disclosure [Update: Fixed in latest update]

Update: An update (V7-G-190411) for the app pushed through Google Play   has fixed the issue. Changelog says “Made the app more secure by restricting complete browsing from Glance”.

Earlier: A couple of weeks back URL spoofing was discovered on Xiaomi browsers including Mi Browser and Mint browser and now another vulnerability has been discovered by the same researcher. The researcher says that the issue is specific to India region and is present on MIUI devices including MIUI for POCO.

As per Khan:

Due to this vulnerability, one can actually get read access as well as write access to user’s (current) Clipboard data, and apart from that the attacker can also partially access user’s stored social media credentials by abusing Autofill feature.

How to check if the vulnerability is present on your device?

Follow the step by step guide,

  1. Swipe Lockscreen to right and tap on Wallpaper Carousel.
  2. Enable Wallpaper Carousel from Lockscreen itself.
  3. Swipe right after enabling Wallpaper Carousel, tap on Wallpaper Carousel again to view this screen, tap on Read More.
  4. A web page will be opened, click on any social buttons that appear on those web pages.
  5. From here on, you can expose the clipboard data and stored autofill data for that particular social network.

Mi Security team (MiSRC) acknowledged the vulnerability!

Mi Security team has acknowledged the issue and confirmed the bug for the bug bounty program. Mi Security team has identified it as low severity, but as per the researcher, it is a medium-risk issue. The issue isn’t fixed yet, neither the company has provided an ETA.

How does it affect you?

If you are someone who lives in India and uses Wallpaper Carousel and Glance on your device and has turned on autofill on the device, then by abusing autofill feature on social login pages, an attacker can successfully expose your stored email addresses, phone numbers and usernames linked with that social site.

What you should do to remain unaffected?

Indian users should avoid using Wallpaper Carousel and Glance on their devices at least until Xiaomi patches the vulnerability, you can also uninstall Wallpaper Carousel from Settings —> Manage Apps.

Thanks for the tip Arif.


Author: Arpit Porwal

Coming from the Mathematics research background, Arpit keeps an eye on MIUI and Xiaomi products and uses POCO X2 as his daily driver. You can follow him on Twitter and Instagram.