Arbitrary File Corruption: End - to - End Encrypted Messaging Application

In this write-up, I’ll tell you how I was able to Exfiltrate Database and Sandbox Files on End-to-End Encrypted Messaging Application.

Description

End-to-End Messaging application there are several places where the application use URI returned from a GET_CONTENT, PICK, etc. intent. Due to the lack of URI returned sanitizing an attacker/malicious actor able to the theft of files including database and sandbox files by copying them to public storage or by sending them.

Application Vulnerable Codes

• In file redacted/redacted/messenger/discussion/DiscussionActivity.java

• In file redacted/redacted/messenger/App.java

• In file redacted/redacted/messenger/discussion/DiscussionActivity.java

• In file redacted/redacted/messenger/App.java

• In file redacted/redacted/messenger/discussion/DiscussionActivity$$ExternalSyntheticLambda23.java

• Note the codes with // end lines. This is where the vulnerability exists.

Another Vulnerable Codes

• In file redacted/redacted/messenger/settings/StorageExplorer.java

• In file redacted/redacted/messenger/App.java

• In file redacted/redacted/messenger/settings/StorageExplorer$$ExternalSyntheticLambda2.java

• Note the codes with // end lines. This is where the vulnerability exists.

Attack Scenario

• The app launches an implicit intent startActivityForResult(new Intent("android.intent.action.PICK"), ANY_REQUEST_CODE)
• The atracker app performs the action and puts a Uri in the data value setResult(-1, new Intent().setData("file:///data/user/0/redacted.redacted.messenger/databases/app_database"))
• The app receives the result in onActivityResult(requestCode, responseCode, resultIntent) from its local file system.

Attacker Application

• In file AndroidManifest.xml

• In file EvilActivity.java

Proof of Concept

• The uploaded database file of the End-to-End Messaging application.

Disclosure Timeline

• August 30, 2022 — I reported this vulnerability issue.
• September 1, 2022 — The vulnerability is confirmed, and implementing a patch soon.
• September 21, 2022 — The vulnerability has been patched and got a bounty.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through LinkedIn, and Twitter.