Insecure Implementation of SetResult in exported Activity

The com.insecureshop.ResultActivity is exported and contains the following code:

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setResult(-1, getIntent());
        finish();

The exported activity passes an Intent to the attacker via setResult(code, intent). Such configuration allows an attacker to access arbitrary content providers.

Going an extra mile

Can you read Phone contacts using this vulnerability?

Note: In order to read Phone contacts, you need to grant InsecureShop access to your contacts. You can enable this permission by long pressing the app icon and then going to App Info > Permissions. Here you need to enable the Contacts permission.

Reference:

Gaining access to arbitrary* Content ProvidersNews, Techniques & Guides

Two weeks of securing Samsung devices: Part 1News, Techniques & Guides

PreviousIntercepting Implicit intent to load arbitrary URL NextInsecure Content Provider

Last updated 2 years ago