Google releases ultra-exploitable Samba app, because not all of their ideas are good

Samba is a pretty useful networking protocol, but earlier versions of it were known to be extremely vulnerable to certain attacks.

Remember WannaCry, the ransomware that broke pretty much everything in May? And NotPetya, which reared its nasty head last week, causing particular devastation to machines in the Ukraine? Both took advantage of flaws in SMBv1 to propagate and infect computers.

Anyway, Google just released a SAMBA client for Android, and it only supports SMBv1 shares.

Literally, only SMBv1 shares. Android Police’s Corbin Davenport tested the app with a Samba share running the more modern and secure SMBv2 protocol, and found that it wouldn’t even connect.

For context, this is the equivalent of Boeing building a hydrogen-fueled version of the 747 immediately after the explosion of the Hindenburg. Or Ford responding to drunk driving statistics by making a version of Ford Fiesta that only works when you’re completely shitfaced.

Yes, it’s a pretty weak analogy, but you get the idea.

Given Google’s considerable resources, and the current momentum away from SMBv1, it’s pretty staggering that they’d release something so problematic from a security perspective.

But they have, and here we are. SMH Google.


Google ships WannaCrypt for Android, disguised as Samba app
on The Register