Element Android (<1.6.12) is affected by a sensitive file disclosure, allowing a third-party malicious application to force sharing files stored under the files
directory in the application’s private sandboxed data directory to an arbitrary room. Sensitive files include the encrypted chat database, the FCM tokens, etc.
“Element is the flagship secure collaboration app for the decentralized Matrix communication network. Element lets you own your own end-to-end encrypted chat server, while still connecting to everyone else in the wider Matrix network.”. For more information visit https://element.io/.
The Element Android application exposes an activity to share files from other applications towards arbitrary chats/rooms (e.g. share a photo from gallery into a room).
These files are shared via a Content Provider named MultiPickerFileProvider
that exposes, under the external_files
definition, all the files contained in the application sandbox pointing to /data/data/im.vector.app/files
.
Specifically, in the intent handler, the execution reaches the getIncomingFiles
in library/multipicker/src/main/java/im/vector/lib/multipicker/Picker.kt
, where the URI EXTRA_STREAM
is resolved by the content provider.
To reproduce the vulnerability, it is needed to develop and install an application on a device where Element Android is installed.
OnCreate
function of the MainActivity
class, add the following content:
|
|
$ROOM_ID
placeholder with the ID of a room both the attacker and the victim are participants of (it could be one of the most used public rooms).matrix-sdk-global.realm
was sent to the chosen room.A local malicious application can invoke the IncomingShareActivity
, which is exported, setting a content URI pointing to a private file, forcing sharing it to an arbitrary room. Moreover, by setting the EXTRA_SHORTCUT_ID
extra,
the application can force Element an arbitrary the room to which the file will be shared, in a way that does not require any interaction from the user.
Therefore, an attacker who can install a malicious app on the victim’s device might force the Element Android application to share private files to arbitrary rooms.
The attack however requires a malicious app installed on the victim’s device.
Upgrade to Element 1.6.12 or later.
This report was subject to Shielder’s disclosure policy and Element’s disclosure policy:
This advisory was first published on https://www.shielder.com/advisories/element-android-sensitive-file-disclosure/
Date
18 April 2024