Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files in hamza417/inure


Reported on

Aug 13th 2023


Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity) which accepted intent data via the file scheme + text/* mime type and opened the associated files from provided URI data string.

It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application's private directory (/data/data/app.simple.inure) which the Inure application will then open.

Proof of Concept

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -n app.simple.inure/.activities.association.TextViewerActivity -d "file:///data/data/app.simple.inure/shared_prefs/Preferences.xml"  

Starting: Intent { dat=file:///data/data/app.simple.inure/shared_prefs/Preferences.xml cmp=app.simple.inure/.activities.association.TextViewerActivity }

This opens the Preferences.xml file which belongs to the Inure application's private directory. The impact of this vulnerability is constrained for now, since trying to Export this opened file crashes the whole application for some reason.


An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to open/view arbitrary files belonging to the Inure app's private directory due to the lack of validation in the received intent data string.

We are processing your report and will contact the hamza417/inure team within 24 hours. a month ago
We have contacted a member of the hamza417/inure team and are waiting to hear back a month ago
Hamza Rizwan validated this vulnerability a month ago
Carlo Jae Avila has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hamza Rizwan gave praise a month ago
Thanks for the report.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hamza Rizwan marked this as fixed in build88 with commit 2176af a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 20th 2023
Hamza Rizwan published this vulnerability a month ago
to join this conversation