Security lock can be bypassed by changing the system date

Jun 16, 2020

  • Risk: low
  • CVSS v3 Base Score: 6.1
  • CVSS v3 Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CWE ID: CWE-15
  • CWE Name: External Control of System or Configuration Setting

Description

Given an attacker has physical access to the device, a faulty timestamp check allowed to bypass the app lock by setting the system date to the past.

Affected

  • ownCloud Android App version < 2.15

Action taken

Use elapsed time method which is recommended for interval timing. This method is independent of the system time.