ES File Explorer is one of the most popular File Manager apps in the play store with tons of features and claims 500million users since 2014. But this app now has a security loop-hole by which anyone can access the victim’s data via any connected WiFi network. The attacker needs only a simple JSON Script to do so.
But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.
Table of Content
How it was discovered?
How the data can be stolen?
He showed using a simple script how anyone can pull audios videos images apps from a victim’s phone, install an app on the victim’s phone or access/modify any files.
Likewise, everytime a user is launching ES File Explorer, an HTTP server is started. This server is opening locally the port 59777. On this port an attacker can send a JSON Script:
What are the features of the script?
- List all the files in the SD Card in the victim device
- Acquire all the pictures in the victim device
- List all the videos and audios in the victim device
- Retrieve all the apps (System/Installed) installed in the victim device
- Get device info of the victim device
- Pull a file from the victim device
- Launch an app of your choice
- Get the icon of an app of your choice
Chances of exploitation?
In simple words, the exploitation is possible only if the attacker and victim are connected through the same WiFi network. But if you’re using ES File Explorer over a data connection or in your home WiFi, chances are, you might be safe. This slims down the probability of exploitation. But with increasing Railway WiFi(s), Starbucks WiFi’s etc., this might become a big threat.
Affected Versions of the App?
Specifically, affected versions are 184.108.40.206.4 and below, according to Elliot Alderson. So, our tech Burner team will suggest you to stop using this version, simply install the latest update of ES File Explorer from Google Play Store.
ES File Explorer team’s response?
Currently, the app is running on 220.127.116.11. The PlayStore’s What’s New section describes:
Es File Explorer team Fixed the HTTP vulnerability in LAN.
So we can expect that ES File Explorer team has fixed in the current version. As a piece of urgent advice, we can suggest that you update your app as soon as possible!