CVE-2021-33057

Name of the Vulnerable Software and Affected Versions QQ application version 8.7.1

Description The issue concerns the QQ application's failure to enforce permission requirements for determining a device's physical location, such as android.permission.ACCESS FINE LOCATION. An attacker can exploit this by creating a MapContext object using qq.createMapContext, moving the map center to the device's location with MapContext.moveToLocation, and then obtaining the latitude and longitude of the current map center using MapContext.getCenterLocation.

Recommendations For version 8.7.1, consider disabling the use of qq.createMapContext and related functions until a patch is available to enforce proper permission requirements. Restrict access to location services to minimize the risk of exploitation. Avoid using MapContext.moveToLocation and MapContext.getCenterLocation in sensitive contexts until the issue is resolved.