Open in app

Sign in

Write

Sign in

Arbitrary File Corruption: End - to - End Encrypted Messaging Application

Neil Mark Ochea
3 min readSep 23, 2022

--

In this write-up, I’ll tell you how I was able to Exfiltrate Database and Sandbox Files on End-to-End Encrypted Messaging Application.

Description

End-to-End Messaging application there are several places where the application use URI returned from a GET_CONTENT, PICK, etc. intent. Due to the lack of URI returned sanitizing an attacker/malicious actor able to the theft of files including database and sandbox files by copying them to public storage or by sending them.

Application Vulnerable Codes

  • In file redacted/redacted/messenger/discussion/DiscussionActivity.java
  • In file redacted/redacted/messenger/App.java
  • In file redacted/redacted/messenger/discussion/DiscussionActivity.java
  • In file redacted/redacted/messenger/App.java
  • In file redacted/redacted/messenger/discussion/DiscussionActivity$$ExternalSyntheticLambda23.java
  • Note the codes with // end lines. This is where the vulnerability exists.

Another Vulnerable Codes

  • In file redacted/redacted/messenger/settings/StorageExplorer.java
  • In file redacted/redacted/messenger/App.java
  • In file redacted/redacted/messenger/settings/StorageExplorer$$ExternalSyntheticLambda2.java
  • Note the codes with // end lines. This is where the vulnerability exists.

Attack Scenario

  • The app launches an implicit intent startActivityForResult(new Intent("android.intent.action.PICK"), ANY_REQUEST_CODE)
  • The atracker app performs the action and puts a Uri in the data value setResult(-1, new Intent().setData("file:///data/user/0/redacted.redacted.messenger/databases/app_database"))
  • The app receives the result in onActivityResult(requestCode, responseCode, resultIntent) from its local file system.

Attacker Application

  • In file AndroidManifest.xml
  • In file EvilActivity.java

Proof of Concept

  • The uploaded database file of the End-to-End Messaging application.

Disclosure Timeline

  • August 30, 2022 — I reported this vulnerability issue.
  • September 1, 2022 — The vulnerability is confirmed, and implementing a patch soon.
  • September 21, 2022 — The vulnerability has been patched and got a bounty.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through LinkedIn, and Twitter.

Bug Bounty
Vulnerability
Security
Disclosure
Bug Bounty Tips

--

--

Neil Mark Ochea

Written by Neil Mark Ochea

185 Followers

https://linkedin.com/in/nmochea

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams