ES File Explorer Vulnerability Exposed Files Saved On a Victim Android Phone

  • 221
  • 1

Researchers have spotted a vulnerability in the popular file manager among Android users, ES File Explorer. The vulnerability could allow a potential attacker on your network to steal files from the device remotely. Developers have patched the flaw in the latest version. Hence, users must ensure updating their devices to secure their data.

Multiple ES File Explorer Flaws Discovered

A researcher has identified a serious vulnerability in the Android ES File Explorer app. While the flaw may not be as critical, it certainly required a quick fix as it threatened device’s security. According to his findings, the flaw could allow an attacker to pilfer files saved on a victim phone. The exposed files include pictures, videos, audio files, files stored on the SD card, and all system files.

The researcher Robert Baptiste with alias Elliot Alderson disclosed his findings in a tweet last week.

As revealed, ES File Explorer had an HTTP server running in the background that opened upon launching the app every session. The server could continue to run even after closing the app unless the user deliberately cleared all background services of the app. He also shared the detailed PoC of the flaw (CVE-2019-6447) on Github, where he described,

“Every time a user is launching the app, a HTTP server is started. This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target. These commands allow an attacker connected on the same local network to the victim, to obtain a lot of juicy information (device info, app installed, …) about the victim’s phone, remotely get a file from the victim’s phone and remotely launch an app on the victim’s phone.”

After this discovery, another researcher Lukas Stefanko pointed out another flaw. This one made the devices vulnerable to man-in-the-middle (MITM) attacks. As described,

“Attacker has to be connected to the same network as the victim (Starbucks, coffee shop, public wifi…) to intercept victim’s traffic. App uses instead of secured HTTPS protocol HTTP that could be controlled by adversary if on same local network.”

He demonstrated the problem in a video.

Patch Released With The Latest Version

Both the researchers reported the flaws to the developers of ES File Explorer. The developers, in turn, quickly worked out on releasing fixes. Finally, we now have the patched version of the app available on Google Play Store.

The vulnerability affected all app versions up to The recently patched version available online is ES File Explorer v4.1.9.9, where they have confirmed fixing the “HTTP vulnerability in LAN”. The users of this app should, hence, make sure to upgrade their app versions at the earliest to stay protected.


Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!