CVE-2020-7705 Information

Description

This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company along with performing advertisement attribution fraud. Mintegral can remotely activate hooks on the UIApplication openURL SKStoreProductViewController loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers. Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Reference

https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/ https://snyk.io/research/sour-mint-malicious-sdk/ https://snyk.io/vuln/SNYK-COCOAPODS-MINTEGRALADSDK-598852

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1