It is very important security-wise that app updates be applied as soon as they become available, regardless of platform. Recently a critical vulnerability has been discovered in the popular cross-platform app, SHAREit. With a global user-base of around 1.5 billion users, and versions for MacOS, Windows, iOS, and Android, a flaw in the app affects all users regardless of platform. The vulnerability, which affects the Android version the most contains weaknesses which enable unauthorized 3rd parties to steal files through the SHAREit app.
The vulnerable version of the app was known since 2017, and apparently fixed in a March 2018 update but some old (vulnerable) versions are still floating online.“Occurs mainly because the application fails to validate msgid parameter enabling a malicious client with a valid session to download any resource by directly referencing its identifier,” explained a RedForce researcher.
This opens a backdoor, where anyone can open a file from a user’s device as long as the SHAREit session is active. The intruder can visit http://shareit_sender_ip (take note of the lack of encryption, being http-only) for a copy of the settings file that governs the operations of the SHAREit app.
“Once a valid session is retrieved at least once, application adds the user to recognized devices and accepts any incoming download requests from this user. We can download whatever files we want from victim’s device but getting a valid session would trigger the alarms when they see unusual session and limiting it only to people we exchanged files before would dramatically decrease success rate,” said the RedForce team.
The developer of SHAREit expects all users to update to the newest version, as anything lower than v4.0.x has the trait of keeping the file transfer session running in the background, which in the Android version means that the unauthorized user has all the full capability to transfer and access files without the user’s consent. In versions 4.0 and newer, if the download/upload is not happening, the file transfer session is turned-off.
“There are other files that contain juicy information such as user’s Facebook token, Amazon Web Service user’s key, auto-fill data and cookies of websites visited using SHAREit webview and even the plaintext of user’s original hotspot (the application stores it to reset the hotspot settings to original values) and much more,” added the RedForce team.
The RedForce team has fully disclosed the details of the vulnerability in their official GitHub page https://github.com/redforcesec/DUMPit/. Before this site went-up, responsible disclosure to SHAREit developers has been done, in-order for the exploit not to be used as a zero-day (exploits discovered while it is actively being used in the Internet). RedForce team also released a proof-of-concept toolkit named “DUMPit!”. A GUI program that visibly demonstrates the weaknesses discovered in the SHAREit app, provides a non-destructive exploitation of the same and perform test file transfers. The SHAREit developers were also given access to the proof-of-concept program prior to the full public disclosure of the vulnerabilities.