Skip to content

Element Android can be forced to share internal files

Moderate
dkasak published GHSA-8wj9-cx7h-pvm4 Feb 20, 2024

Package

im.vector.app (Kotlin)

Affected versions

>= 0.91.0, <1.6.12

Patched versions

1.6.12

Description

Impact

A third-party malicious application installed on the same phone can force Element Android, versions 0.91.0 (released on 2020-07-01) through 1.6.12, to share files stored under the files directory in the application's private data directory to an arbitrary Matrix room.

The impact of the attack is reduced by the fact that the most of the resources stored in this folder are encrypted.

Patches

Fixed in Element Android 1.6.12 (commit 8f9695a).

Workarounds

Forks of Element Android which have set android:exported="false" in the AndroidManifest.xml file for the IncomingShareActivity activity are not impacted.

References

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity

Moderate

CVE ID

CVE-2024-26132

Weaknesses

Credits