A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. The bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the CvSS severity scale. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network.
Source: https://threatpost.com/authentication-bug-android-smart-tv-data-theft/160025/