[Update: Developer response] ES File Explorer vulnerability leaves your files exposed to anyone on the same network


In the early days of Android, ES File Explorer was one of the better ways to manage your storage. That hasn't been true for a long time, though. Not only is the app rather cluttered and buggy, security researcher Elliot Alderson (@fs0c131y on Twitter) points out this app makes your files vulnerable to theft. All you have to do is open it once.
According to Alderson, ES File Explorer launches an HTTP server on port 59777. This leaves your phone wide open to anyone on the local network with enough knowledge to exploit it. An attacker can use that port to inject a JSON payload. They can get information about the apps and files you have, and then it's a simple matter to download your data over the network. I have no way of knowing this, but it seems like this may be related to the app's file sharing feature. See below for a video demo.
Elliot Alderson@fs0c131y
With more than 100,000,000 downloads ES File Explorer is one of the most famous file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://www.youtube.com/watch?v=z6hfgnPNBRE 
2,251
10:56 AM - Jan 16, 2019
1,958 people are talking about this
Twitter Ads info and privacy
ES File Explorer has north of 100 million downloads, so that could mean a lot of vulnerable devices out there. Thankfully, the attack only works over local networks. It's a good idea in general not to be on a network with untrusted people and devices, but this really drives the point home. Alderson says the vulnerability is in v4.1.9.7.4 and lower, and the Play Store page lists the same build. So, you aren't even safe on the latest version. There's no word from the developers yet, but ES File Explorer is still actively developed. Presumably, an update is forthcoming.

We reached out to the ES File Explorer devs to try and get their side of the story, or at least find out if steps were being taken to eliminate this vulnerability. Sure enough, the devs claim to be on top of this and have come up with a fix:
We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review."
The most recent build in the Play Store is still the v4.1.9.7.4 one released this past Monday, so that review is apparently ongoing. Hopefully we'll see the fix land shortly.

Comments

Post a Comment

Popular posts from this blog

Linktree’s free workaround lets you add multiple links to your Instagram bio

Image
Instagram only gives you one opportunity to link to outside resources inside its photo sharing platform. This might not be a problem for a majority of the users, but for those wanting a little more customization and even more options, it leaves much to be desired. Enter  Linktree , a free tool for Instagram designed to improve traffic to your outside link, be it a blog, portfolio, or store. How it works is fairly straightforward. After connecting Linktree to your Instagram profile, you’ll receive a single link to place in your Instagram bio. Once that link in place, you can customize what it’s linked to within your browser, be it a single website, or a collection of sites you’re looking to direct followers to Say you’re a photographer who’s using Instagram as a marketing tool for your wedding photography. Using Linktree, you can direct Instagram followers to your blog, your portfolio site, and even your other social media accounts. Until now, you would’ve been stuck choosing b
Read more

EVERYTHING WE KNOW ABOUT THE PIXEL 4, THE MOST-LEAKED PHONE EVER

Image
Google’s  Pixel 3 might have been the  most-leaked phone in history . Long before its unveiling, we knew practically everything about it from unboxing videos, photo comparisons, even a full review of the device. Surely, for the Pixel 4, Google would clamp down on leaks to leave some surprises for its debut on  October 15th , right? Let’s just say, if that was the plan, it didn’t exactly work out. We’ve now seen the Pixel 4 XL from every angle and in three different colors. At least seven different sources have touched this phone, many of them confirming the same specs. We not only know which cameras it’ll have, but also what they may be capable of, including air gestures (go figure). That doesn’t even count information Google has already shared  on purpose. So if you want to know almost everything about the Pixel 4 nearly a month before it’s announced, buckle up. We’ve sifted through all of the rumors and information we can find to compile everything we know — and everything we
Read more

Our favorite iOS apps for the iPhone and iPad in 2018

Image
As 2018 comes to a close, it’s time to look at some our favorite apps of the year. While not all of these are brand new, many of them popped up onto our radar for the first time in 2018, and are definitely worth the attention. Others are some of our favorites that are still best-in-class despite having been around for some time now. We aim to do things differently at TNW, and as such you’re not going to find the recommendations you’re probably used to seeing: Gmail, Skype, Dropbox, and the like. Instead, we want to focus on the best-of-the-best that you may not have heard of, and others that are just special enough to warrant a mention. As always, we’d encourage you to share some of your favorites in the comments below, or on Facebook. Enlight Pixaloop (Free Pixaloop  is one of my favorite apps on the market. Unlike typical image editors that allow you to remove red eye or apply a filter, Pixaloop allows you to create stunning photo animations with a few clicks on your
Read more