According to the Play Store permissions readout, ShareIt requests access to the entire user storage and all media, the camera and microphone, and location. It can delete apps, run at startup, create accounts and set passwords, and do a whole lot more. This indicates that any third-party entity can still gain temporary read/write access to the content provider’s data. Trend Micro says compromising the app can lead to remote code execution. In fact, they did not even think to limit SHAREit’s content-provider capabilities which is one of the sole factors that can give attackers access to the app’s “private” directory.Īs per the report, “the developer behind this disabled the exported attribute via android:exported=”false”, but enabled the android:grantUriPermissions=”true” attribute. In the past, vulnerabilities that can be used to download. They can also potentially lead to Remote Code Execution (RCE). The vulnerabilities can be abused to leak a user’s sensitive data and execute arbitrary code with SHAREit permissions by using a malicious code or app. Now, although the vulnerabilities exist in the app, the developers have done nothing to rectify them. We discovered several vulnerabilities in the application named SHAREit. Since its inception, billions of users have entrusted SHAREit to quickly and securely share their files. ed è regolarmente disponibile sul Play Store di Google. SHAREit SHAREit app is a leading file sharing, content streaming and gaming platform. So, the report states that using one of the many vulnerabilities in the app, an attacker could essentially take over your entire device and run malicious code remotely. C’è una app Android famosissima e usata dagli utenti di tutto il mondo che non è sicura, lo hanno scoperto i ricercatori di Trend Micro: questa app si chiama SHAREit Transfer & Share, è sviluppata da Smart Media4U Technology Pte.Ltd. It can even access your smartphone’s camera and microphone, create accounts, and set passwords.ĭue to this long list of granted-permissions, SHAREit has access to almost your entire smartphone and the things that you store in it. As a result, the app, as per the report, has access to a user’s entire storage including personal files, media, and other documents. In other words, it can be used to overwrite existing files in the SHAREit app.According to a report by Trend Micro, SHAREit is a kind of app that requires the user to give permissions to several data and sensors on a smartphone. This can also be used to write any files in the app’s data folder. The following code from our POC reads WebView cookies. Researchers built a simple proof of concept (PoC) and found that any app can invoke this broadcast component, he said. SHAREit is a multi-purpose cross-platform sharing app that promises high transfer speeds & free online feeds. In this case, all files in the /data/data/ folder can be freely accessed. trend micro shareit 1b storecimpanuzdnet code This shows arbitrary activities, including SHAREit’s internal (non-public) and external app activities. This indicates that any third-party entity can still gain temporary read/write access to the content provider's data.Įven worse, the developer specified a wide storage area root path. The developer behind this disabled the exported attribute via android:exported="false", but enabled the android:grantUriPermissions="true" attribute. This shows arbitrary activities, including SHAREit’s internal (non-public) and external app activities. Any app can invoke this broadcast component.
0 Comments
Leave a Reply. |