CVE-2020-12624 : Exploit Details and Defense Strategies

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary website, allowing remote attackers to hijack sessions.

Understanding CVE-2020-12624

This CVE describes a vulnerability in The League application on Android that can be exploited by attackers to hijack user sessions.

What is CVE-2020-12624?

The League application on Android sends sensitive authentication information to external sites, enabling attackers to take over user sessions.

The Impact of CVE-2020-12624

The vulnerability allows remote attackers to hijack user sessions by intercepting bearer tokens sent in HTTP headers.

Technical Details of CVE-2020-12624

The following technical details provide insight into the vulnerability.

Vulnerability Description

The League application on Android sends bearer tokens in HTTP headers to external sites, facilitating session hijacking.

Affected Systems and Versions

Product: The League application
Vendor: Not applicable
Versions: All versions before 2020-05-02

Exploitation Mechanism

Attackers exploit the reuse of OkHttp objects in the application to intercept bearer tokens and hijack user sessions.

Mitigation and Prevention

Protecting against CVE-2020-12624 requires immediate actions and long-term security practices.

Immediate Steps to Take

Update The League application to the latest version that addresses the vulnerability.
Avoid accessing sensitive information while using the application on unsecured networks.

Long-Term Security Practices

Implement secure coding practices to prevent similar vulnerabilities in future releases.
Educate users on safe browsing habits and the risks of sharing sensitive data.
Regularly monitor and audit network traffic for any suspicious activities.
Utilize VPNs or secure connections when accessing sensitive information.

Patching and Updates

Stay informed about security updates for The League application and promptly apply patches to mitigate risks.