Mobile Vulnerability Database (MVD)




The Android operating system is the most widely used operating system for mobile devices. Android has around 82.8% (IDC) market share and is a favourite  target for attackers. One of the latest vulnerabilities, StageFright, allows the attacker to execute arbitrary code on an Android device which takes advantage of a flaw that exists in media library stagefright. Considering other platforms such iOS, Windows, and Blackberry, Varutra is maintaining the vulnerabilities related to mobile operating systems in the Mobile Vulnerability Database (MVD). Varutra has developed the MVD application for the Android platform which identifies vulnerabilities on the Android operating system and provides detailed vulnerability reports, and which is freely available on Playstore for all Android users. The applications for other platforms are under development and will be available very soon for iOS, Windows and Blackberry.

MVD (Mobile Vulnerability Database):

Mobile Vulnerability Database, or MVD, is a unique place to find out about vulnerabilities reported worldwide for Mobile Platforms.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective of MVD is to give a common place for mobile users to get acquainted with the vulnerabilities that might exist on their devices. Users can choose to receive specific vulnerability details as a report via Email.

1. MVD

Platforms covered by MVD

At present MVD covers major mobile smartphone platforms such as Android, Blackberry, iOS and Windows Phone.

2.1 PlatformsMVD Web Application:

MVD is also available in web interface where users can search and gather information related to mobile operating system vulnerabilities by simply searching by the Common Vulnerabilities and Exposures (CVE ID) vulnerability category.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective is to give a common place for mobile users to get acquainted with what vulnerabilities might exist on their devices. Additionally, users can choose to receive specific vulnerability details as a report via Email.

Web Application

For more information: http://varutra.com/mvd/

MVD Platforms:

MVD is developed for mobile operating systems such as Android, iOS, BlackBerry and Windows

3.1 MVD PlatformsTerminologies related to MVD

What is KVID?

KALP Varutra ID (KVID) is a unique number assigned to each reported vulnerability; maintained in the MVD database by the Varutra team.

E.g. KVA01 for Android, KVB01 for Blackberry, KVI01 for iOS and KVW01 for Windows Phone

Note: KALP stands for Knowledge Attained Learn Process. It is a blog for information published on the World Wide Web and consisting of discrete entries (“posts”) typically displayed in reverse chronological order.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

For more information: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization.

For more information:


CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical).

E.g. BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

MVD Feature:

MVD feature How to get the Vulnerability Report on Email?

The user can register with their Name and Email ID on Register for Vulnerability Report and then select the required platform and version to receive the report. A module is being implementing where once a user is registered they will get automatic updates for any new vulnerabilities reported in the platform and version specifically chosen by the user.

4.1 Vulnerability Report

 Users can now access the MVD on their Android Smartphones, Tablets.

The MVD Android application covers major mobile smartphone / tablet platforms such as Android, Blackberry, iOS and Windows Phone. Users can register with their Name and Email ID on “Register for Vulnerability Report” and then select the desired mobile platform and version to receive the report. Users can also download the MVD Android application on your device from Google Play:



MVD very useful for mobile phone users who are interested in knowing the vulnerabilities in their Android phone and want to mitigate the vulnerabilities. Additionally, MVD is useful for security researchers interested in knowing the vulnerabilities present in multiple mobile operating systems.

For more Details reading Pentestmag


Mr. Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.


CSRF Vulnerability on LinkedIn


In previous blog we have seen a critical vulnerability in LinkedIn password reset module allowing an attackers to compromise LinkedIn user’s account and how helpless a LinkedIn user in case of an actual compromise of his / her account in real world scenario.

Here is a new vulnerability Cross-Site Request Forgery, CSRF present on LinkedIn Recommendation Section, which allows attacker to delete any Recommendation of Any user. 


Lets us understand the issue and simplicity of this attack.

1. Attacker / malicious LinkedIn user can check the recommendation given by LinkedIn User 1 to LinkedIn User 2.

2. Attacker logs into LinkedIn account, goes to the web page source and search for strings such as “Recommendation for USERNAME”.


 Figure: Web page source shows the recommendation details with a unique Id ”515940281” for User 1’s recommendations to User 2.


3. To craft a malicious CSRF link attacker goes to Manage Recommendation area and check for any recommendations he has posted for others.  Clicks on it and copy the URL for any one recommendation.

The URL will be



Figure: Analyzing and collecting URL for Displaying and Withdrawing a User’s recommendation.

 4. Now same way the URL to withdraw any given recommendation by the attacker is


The only difference is to change the parameter from ‘dep’ to ‘wdr’.

Craft a URL for removing or withdrawing recommendation from User 1 to User 2 is


This is the shortest and simplest form of the vulnerable CSRF link.

5. Send this URL to User 1 in an email. More dangerously, the same CSRF link can be send using LinkedIn mail feature.

6. On clicking this link by User 1 the selected recommendation given by User 1 to User 2 will be withdrawn or deleted.


On reporting this issue LinkedIn was prompt to acknowledge the vulnerability and have mitigated it.

More can be read at http://packetstormsecurity.com/files/127259/

Author: Kishor Sonawane


Insecure URL redirection in Google+

URL Redirection

Our team identified a vulnerability in Google+ (Google Plus) service which can be used to perform malicious URL redirection. It was possible to bypass the Google+ ‘Redirect Notice’ and divert user to a malicious site.  The issue takes advantage of Google+ facility to redirect users from Google service to third party sites.

When User is redirecting to a third party site(s), Google+ shows a Redirect Notice that the user is about to be re-directed and thus user can make a choice of either continuing with re-direction or stay with Google+.

Varutra team could successfully bypass the redirect notice and came up with a way to directly divert the users to third party site(s) without any notice or correspondence from Google+. The severity of the identified threat is raised by the fact that the victim user need not be logged in to the Google+ account.

Below are the steps to reproduce the issue:

I. Please note, these steps are just to showcase the consequence of the vulnerability and are given for educating users about the threats, Varutra does not hold any responsibility for use/misuse of this information.

II. Attacker navigates to page http://plus.url.google.com/url?q= and enters the malicious URL of choice. (http://plus.url.google.com/url?q=http://www.malicious-site.com)

III. Google+ generates a redirection request/URL ands show a Redirect Notice with two options;

    1. The previous page is sending you to http://www.malicious-site.com
    2.  If you do not want to visit that page, you can return to the previous page.

IV. The redirection URL will look like http://plus.url.google.com/url?q=http://www.malicious-site.com&ei=Fw0WUoPPGcvwrQfwqIFI&sa=X&ct=targetlink&ust=1377178655421471&usg=AFQjCNHfnI0h_f5_uqegvYZ

V. Attacker right clicks on the www.malicious-site.com and copy link location

VI. This link then can be sent to victim user through numerous and best suited ways to redirect him/her to the http://www.malicious-site.com without any notice from Google+

The only thing to notice is that this link is temporary and valid for approximately 30 minutes.

It was also observed that other Google services such as google.com (search engine) and orkut.com are also open to this issue.