Elliot Alderson @fs0c131y French security researcher. Worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, BJP IT Cell and others. Not completely schizophrenic. Not related to USANetwork. Jan. 16, 2019 1 min read

With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone  https://www.youtube.com/watch?v=z6hfgnPNBRE 

Technically, everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target

You can find the proof of concept on this Github repo  https://github.com/fs0c131y/ESFileExplorerOpenPortVuln 

To sum up, an attacker connected on the same local network can remotely:
- get a file from your phone
- list all the apps installed on your phone
- list all your videos, images, audio files

Worth to say, I'm convinced this "feature" has been implemented by design. Imagine a scenario: I'm Chinese, I have ES File Explorer installed on my phone. I'm on the subway and I used to connect to the public wifi. "The authorities" can use this "feature" against me.

As always, excellent article by @zackwhittaker  https://techcrunch.com/2019/01/16/android-app-es-file-explorer-expose-data/ 

I did a commit to fix a small issue on my script. If you have a problem with the script or have some improvements don't hesitate to contact me or to send a pull request!  https://github.com/fs0c131y/ESFileExplorerOpenPortVuln 

I love the #infosec community! The awesome @LukasStefanko found that ES File Explorer is vulnerable to a MITM attack 😅

Did I tell you that I found 2 others vulnerabilities in ES File Explorer? But I will keep them for another day

I'm a mysterious security researcher 😂


You can follow @fs0c131y.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.