I personally hate MIUI as it is – with annoying ads and the user interface in general.
Well, that is something that depends on my preference. And, you might disagree – which is completely alright.
But now with an unpatched security flaw, it makes me wonder why should I recommend Xiaomi devices to anyone at all?
A Recent Security Flaw Which Was Patched
Before talking about the current situation, I should inform that yet another major security flaw was found a day before which has been patched now.
It was discovered that a pre-installed security app was vulnerable to malicious exploits.
So, if you haven’t updated the software on your device, you should do that immediately.
And, as if that was not all – recently, Mohit Kumar (from TheHackerNews) reported another security issue on Xiaomi devices that has been left unpatched even if the company is aware of it.
About The New Unpatched Flaw
As per the original source, a security researcher Arif Khan found the security flaw in Mi Browser and Mint browser (both developed by Xiaomi) which usually comes pre-installed on Xiaomi devices. And, if not, you might have it installed from the Google Play Store.
The vulnerability, identified as CVE-2019-10875 and discovered by security researcher Arif Khan, is a browser address bar spoofing issue that originates because of a logical flaw in the browser’s interface, allowing a malicious website to control URLs displayed in the address bar.Mohit Kumar, The Hacker News
This security flaw lets a malicious website to take control of the address bar making it vulnerable to URL spoofing.
In other words, if you are accessing a website on Mi browser or Mint browser – the webpage can take control of your address bar and may pose as a legit website.
Xiaomi Knows About It But Does Nothing
It is interesting to note that this issue has already been reported to Xiaomi by the security researcher and he has also been rewarded with a bug bounty- but they haven’t yet patched the vulnerability.
Also, the security research mentioned that he was paid just $99 each for the vulnerability of two different browsers. It seems like Xiaomi does not consider this issue as something serious for its smartphone users, is that the case, Xiaomi?
The Hacker News also reported:
The researcher also confirmed The Hacker News that the issue only affects the international variants of both the web browsers, though the domestic versions, distributed with Xiaomi smartphones in China, do not contain this vulnerability.
So, is Xiaomi deliberately putting International Android smartphones at risk?
Well, I can’t comment on that one unless Xiaomi issues a public statement on the issue. But, things don’t look well for Xiaomi if security flaws like these exist and are left unpatched.
In either case, I recommend you to use Google Chrome or Mozilla Firefox as your preferred browser.
If you want to take a look how this exploit works, here’s the video uploaded by the security research explaining the same:
With all the buzz going on about the security flaws on Xiaomi devices and applications – I wouldn’t be the one recommending Xiaomi devices for now.
What do you think about this? Do you think Xiaomi deliberately left this flaw unpatched?