Insecure Default Value in addWindow of WindowManagerService.java Allows for Tapjacking and Privilege Escalation

Insecure Default Value in addWindow of WindowManagerService.java Allows for Tapjacking and Privilege Escalation

CVE-2020-0099 · HIGH Severity

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

In addWindow of WindowManagerService.java, there is a possible window overlay attack due to an insecure default value. This could lead to local escalation of privilege via tapjacking with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141745510

Learn more about our Cis Benchmark Audit For Google Android.