CVE-2023-0460

Name of the Vulnerable Software and Affected Versions YouTube Embedded 1.2 SDK

Description The YouTube Embedded 1.2 SDK has a potential vulnerability in its binding logic. After binding to a service within the YouTube Main App, a remote context is created with the flags Context.CONTEXT INCLUDE CODE | Context.CONTEXT IGNORE SECURITY, allowing the client app to remotely load code from the YouTube Main App by retrieving its ClassLoader. This vulnerability can be triggered when the SDK calls bindService() on a malicious app instead of the YouTube Main App, enabling the malicious app to load arbitrary code into the calling app. An attacker must masquerade the YouTube app, install it on a device, and have a second app that uses the Embedded player, typically distributing both to the victim outside of the Play Store.

Recommendations As a temporary workaround, consider restricting the use of the YouTube Embedded 1.2 SDK until a patch is available. Avoid using the SDK in apps that are distributed outside of the Play Store to minimize the risk of exploitation. Restrict access to the bindService() function to prevent malicious apps from loading arbitrary code into the calling app. At the moment, there is no information about a newer version that contains a fix for this vulnerability.