CVE-2021-33057
📋 TL;DR
This vulnerability in QQ application 8.7.1 allows attackers to bypass location permission requirements and access device GPS coordinates without user consent. It affects Android and iOS users of the QQ messaging app. Attackers can exploit this through malicious mini-programs to track user locations.
💻 Affected Systems
- QQ application
📦 What is this software?
Qq by Tencent
Qq by Tencent
⚠️ Risk & Real-World Impact
Worst Case
Continuous location tracking of users leading to physical stalking, targeted attacks, or surveillance without user knowledge.
Likely Case
Intermittent location data collection for advertising profiling, social engineering, or unauthorized monitoring.
If Mitigated
No location access without explicit user permission through proper permission enforcement.
🎯 Exploit Status
Exploit requires user to run malicious mini-program but doesn't require authentication or special permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 8.7.1
Vendor Advisory: https://tencent.com
Restart Required: Yes
Instructions:
1. Open app store (Google Play Store or Apple App Store). 2. Search for QQ. 3. Update to latest version. 4. Restart the application.
🔧 Temporary Workarounds
Disable location services for QQ
allPrevent QQ from accessing location data at OS level
Uninstall vulnerable version
allRemove vulnerable QQ 8.7.1 until patched version is available
🧯 If You Can't Patch
- Disable QQ mini-program functionality in app settings
- Use device-level location permission controls to deny QQ access
🔍 How to Verify
Check if Vulnerable:
Check QQ app version in app settings - if version is 8.7.1, you are vulnerable.Check Version:
Open QQ → Settings → About → Check version numberVerify Fix Applied:
Update QQ app and verify version is higher than 8.7.1, then test location permission prompts appear.📡 Detection & Monitoring
Log Indicators:
- Multiple location API calls from QQ without corresponding permission grants
- MapContext.getCenterLocation calls without user interaction
Network Indicators:
- Unexpected location data transmission from QQ app
- GPS coordinate data sent to unexpected endpoints
SIEM Query:
app_name:"QQ" AND (event_type:"location_access" OR api_call:"getCenterLocation") AND permission_granted:false🔗 References
- https://arxiv.org/pdf/2205.15202.pdf
- https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf
- https://tencent.com
- https://arxiv.org/pdf/2205.15202.pdf
- https://github.com/BESTICSP/Vulnerabilities-Related-to-Mini-Programs-Permissions/blob/main/QQ%20applet%20location%20permission%20vulnerability%20report.pdf
- https://tencent.com
