Researchers have discovered that several popular Android applications in the Google Play Store with millions, even a billion downloads are susceptible to a path traversal-related vulnerability that is being referred to as the 'Dirty Stream Flaw'. In the recently-released report, the Microsoft Threat Intelligence team, stated, "The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application's implementation." Successful exploitation of this vulnerability could allow an attacker to take full control of the application's behavior and leverage the stolen tokens to gain unauthorized access to the victim's online accounts and other data.

Xiaomi File Manager and WPS Office Vulnerable to Dirty Stream Flaw

The bug stems from the Android FileProvider class, a subclass of the ContentProvider class which is used to facilitate file sharing or picking between different applications while still maintaining secure isolation between each other. A correct implementation would provide a reliably solution for file sharing between applications, while an improper implementation could be exploited to bypass typical read/write restrictions or overwrite critical files within Android. While the researchers identified several applications potentially vulnerable to the attack and representing over 4 billion downloads together, they suspect that the vulnerability may be present in other applications. The Xiaomi Inc.’s File Manager (com.mi. Android.globalFileexplorer) with a billion downloads and WPS Office (WPS Office (cn.wps.moffice_eng) with over 500 million downloads are two prominent examples among the identified applications. The vulnerabilities were reported by the researchers to the Xiaomi, Inc. and WPS Office security teams, who deployed fixes for these apps on February 2024 with Xiaomi published version V1-210593 of it's file manager application and version 17.0.0 of WPS Office. Users are advised to keep their device and installed applications up to date. The researcher stated that their motive behind the publication of the research was to prompt developers and publishers to check if their apps were affected and issue fixes accordingly.

Dirty Stream Flaw Could Permit Overwrite &  Data Exfiltration

If successfully exploited, the vulnerability could permit an attacker to overwrite the target app's configuration file and force it to communicate with an attacker-controlled server, potentially leading to the exfiltration sensitive information and arbitrary command execution. The researchers behind the findings also collaborated with Google to publish an official guidance on Android Developers website, stating appreciation for the partnership with the Google’s Android Application Security. The Android developer guidance issued by Google, urges developers to handle the filename provided by the server application properly while ignoring filenames provided by the server applications rather than internally generated unique filename identifier as the filename, stating that there should be a sanitization check if internally-provided identifiers were not possible. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.