Researchers have spotted a vulnerability in the popular file manager among Android users, ES File Explorer. The vulnerability could allow a potential attacker on your network to steal files from the device remotely. Developers have patched the flaw in the latest version. Hence, users must ensure updating their devices to secure their data.
Multiple ES File Explorer Flaws Discovered
A researcher has identified a serious vulnerability in the Android ES File Explorer app. While the flaw may not be as critical, it certainly required a quick fix as it threatened device’s security. According to his findings, the flaw could allow an attacker to pilfer files saved on a victim phone. The exposed files include pictures, videos, audio files, files stored on the SD card, and all system files.
The researcher Robert Baptiste with alias Elliot Alderson disclosed his findings in a tweet last week.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
As revealed, ES File Explorer had an HTTP server running in the background that opened upon launching the app every session. The server could continue to run even after closing the app unless the user deliberately cleared all background services of the app. He also shared the detailed PoC of the flaw (CVE-2019-6447) on Github, where he described,
“Every time a user is launching the app, a HTTP server is started. This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target. These commands allow an attacker connected on the same local network to the victim, to obtain a lot of juicy information (device info, app installed, …) about the victim’s phone, remotely get a file from the victim’s phone and remotely launch an app on the victim’s phone.”
“Attacker has to be connected to the same network as the victim (Starbucks, coffee shop, public wifi…) to intercept victim’s traffic. App uses instead of secured HTTPS protocol HTTP that could be controlled by adversary if on same local network.”
He demonstrated the problem in a video.
Patch Released With The Latest Version
Both the researchers reported the flaws to the developers of ES File Explorer. The developers, in turn, quickly worked out on releasing fixes. Finally, we now have the patched version of the app available on Google Play Store.
The vulnerability affected all app versions up to 126.96.36.199.4. The recently patched version available online is ES File Explorer v188.8.131.52, where they have confirmed fixing the “HTTP vulnerability in LAN”. The users of this app should, hence, make sure to upgrade their app versions at the earliest to stay protected.