ADVISORIES | April 1, 2019

Android (AOSP) Download Provider Request Headers Disclosure (CVE-2018-9546)

By Daniel Kachakil

A malicious application with the INTERNET permission granted could retrieve all entries from the Download Provider request headers table.

These headers may include sensitive information, such as session cookies or authentication headers, for any download started from the Android Browser or Google Chrome, among other applications.

Consider the impact that this would have on a user downloading a file from an authenticated website or URL. For example, an electronic statement file from an online bank or an attachment from corporate webmail may allow an attacker to impersonate the user on these platforms.

ADVISORIES |

Android (AOSP) Download Provider SQL Injection (CVE-2018-9493)

By Daniel Kachakil

By exploiting an SQL injection vulnerability, a malicious application without any permission granted could retrieve all entries from the Download Provider, bypassing all currently implemented access control mechanisms. Also, applications that were granted limited permissions, such as INTERNET, can also access all database contents from a different URI.

The information retrieved from this provider may include potentially sensitive information such as file names, descriptions, titles, paths, URLs (that may contain sensitive parameters in the query strings), etc., for applications such as Gmail, Chrome, or the Google Play Store.

Further access to the downloaded contents may be possible as well, depending on the permissions granted to the app and files.

By continuing to use the site, you agree to the use of cookies. more information