Element Android (<1.6.12) is affected by an intent redirection, allowing a third-party malicious application to start any internal activity by passing extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript, bypassing PIN code protection, and account takeover by spawning a login screen to send credentials to an arbitrary Matrix home server.
“Element is the flagship secure collaboration app for the decentralized Matrix communication network. Element lets you own your own end-to-end encrypted chat server, while still connecting to everyone else in the wider Matrix network.”. For more information visit https://element.io/.
The Element Android application exposes to other applications an intent receiver, im.vector.app.features.Alias
, to launch its MainActivity
.
By specifying the EXTRA_NEXT_INTENT
extra when calling it, it is possible to use it as a proxy to call other internal activities, even though they are defined with exported=false
in the AndroidManifest.xml
file.
The vulnerability is contained in the following snippet of code in MainActivity.kt
:
|
|
Considering that MainActivity
is exported, any application installed on the device can invoke it with an arbitrary EXTRA_NEXT_INTENT
to invoke arbitrary internal activities.
This proof-of-concept will reproduce the scenario that, based on our analysis, has the highest security impact: redirection to LoginActivity
to Account Takeover.
To reproduce the vulnerability it is needed to develop and install an application on a device where Element Android is installed.
OnCreate
function for MainActivity
, add the following code:
|
|
im.vector.app.features.login
. Set the content of the file to:
|
|
Notice that the same rogue server can be used to leak OTP codes, in case the account is protected by Multi-Factor Authentication.
In order to make the attack even more transparent to the victim, the attacker could:
MainActivity
which is still correctly logged into the legitimate Matrix server.Note: The PoC for the PIN modify attack would be similar, by declaring the extra as follows:
|
|
and creating the PinMode
package with the correct content, taking it from the source code of the Element application. The same goes for other sensitive activities like VectorWebViewActivity
.
An attacker who can install a malicious app on the victim’s device can launch arbitrary activities in the contest of the application.
Setting the associated extra
s on the injected Intent, this makes possible to interact with the app in undesired and malicious ways, bypassing security controls and forcing sensible actions to the extent of exfiltrating account credentials, leading to a complete account takeover.
Some examples:
VectorWebViewActivity
with the EXTRA_URL
extra, the application can be forced to launch a webpage controlled by the user, executing arbitrary JavaScript and showing to the user a malicious interface (UI Redressing);PinActivity
and setting the PinArgs
extra to PinMode.MODIFY
, it is possible to launch the activity to modify the PIN, without knowing the original one.LoginActivity
and setting the EXTRA_CONFIG
to contain the link to a rogue matrix server, the victim can be tricked into initiating a login flow with the rogue server, leading to a complete account takeover.The attack however requires a malicious app installed on the victim’s device. Depending on the attack scenario, interaction from the user is required.
Upgrade to Element 1.6.12 or later.
This report was subject to Shielder’s disclosure policy and Element’s disclosure policy:
This advisory was first published on https://www.shielder.com/it/advisories/element-android-intent-redirection/
Data
18 aprile 2024