Framer Preview 12 Content Injection

2020.09.23
Credit: Julien Ahrens
Risk: Low
Local: No
Remote: Yes
CWE: CWE-926

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Framer Preview Vendor URL: https://play.google.com/store/apps/details?id=com.framerjs.android Type: Improper Export of Android Application Components [CWE-926] Date found: 2020-09-06 Date published: 2020-09-22 CVSSv3 Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVE: CVE-2020-25203 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Framer Preview 12 4. INTRODUCTION =============== Framer Preview is the best way to view and interact with your Framer X and Framer Classic projects on Android phones and tablets. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The "Framer Preview" app for Android exposes an activity to other apps called "com.framer.viewer.FramerViewActivity". The purpose of this activity is to show contents of a given URL via an fullscreen overlay to the app user. However, the app does neither enforce any authorization schema on the activity nor does it validate the given URL. This can be abused by an attacker (malicious app) to load any website/web content into the fullscreen overlay. An exemplary exploit could look like the following: Intent i = new Intent(); i.setComponent(new ComponentName("com.framerjs.android", "com.framer.viewer.FramerViewActivity")); i.setAction("android.intent.action.VIEW"); i.setData(Uri.parse("https://www.rcesecurity.com")); startActivity(i); 6. RISK ======= A malicious app on the same device is able to exploit this vulnerability to lead the user to any webpage/content. The specific problem here is the assumed trust boundary between the user having the Framer Preview app installed and what the app is actually doing/displaying to the user. So if the user sees the app being loaded and automatically loading another page, it can be assumed that the loaded page is also trusted by the user. 7. SOLUTION =========== - 8. REPORT TIMELINE ================== 2020-09-06: Discovery of the vulnerability 2020-09-06: CVE requested from MITRE 2020-09-07: Contacted vendor via their security@, no response 2020-09-08: MITRE assigns CVE-2020-25203 2020-09-09: Informed vendor about the CVE assignment, no response 2020-09-22: Public disclosure due to unresponsive vendor 9. REFERENCES ============= -


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top