Bitwarden: Vulnerable exported broadcast receiver

ID H1:289000
Type hackerone
Reporter b3nac
Modified 2017-11-10T05:24:14


Good evening,

This is actually in your code base this time. :)

Since the following broadcast receiver has export=true it can be exploited by 3rd parties.


com.x8bit.bitwarden.PackageReplacedReceiver has exported set to true making the receiver vulnerable to tampering.



I was able to send information to the receiver and get a response with Drozer. This gives me further information to craft the right payload.



In the manifest changing exported to false or if the broadcast needs to be exported the following would be the correct fix.

At the top of the manifest with the other permissions.

<permission android: name="com.x8bit.bitwarden.PackageReplacedReceiverPermission" android:protectionLevel="signature" />

Modified receiver manifest entry. <receiver android:name="com.x8bit.bitwarden.PackageReplacedReceiver" android:exported="true" android:permission="com.x8bit.bitwarden.PackageReplacedReceiverPermission"> <intent-filter> <action android:name="android.intent.action.MY_PACKAGE_REPLACED" /> </intent-filter> </receiver>

Adding the signature custom permission makes it so the broadcast can only be used with applications that were signed with the same key.

Please let me know if you have any questions. Great job on this app by the way. It's one of the most secure apps I've seen so far on H1.