eBay for Android Content Provider Information Disclosure Vulnerability

Sebastian Guerrero, a security researcher from viaForensics has disclosed an interesting vulnerability on the eBay Android app prior to 2.4.1 (detailed paper: https://viaforensics.com/mobile-security/ebay-android-content-provider-injection-vulnerability.html), which allows 3rd party apps to retrieve or even modify the sensitive information stored in eBay app, without asking for any permission.

The cause of this vulnerability is simple: the developer put some local data such as search history, purchase list into the app’s Content Provider, which has no restriction on reading or writing.

The Content Provider is a feature for cross-app data sharing. On the Android, there is no storage region that is accessible to all apps by default, thus the Content Provider is the best way to share structured data among apps. Every app can create its own content provider, and access others’.

The content provider is identified by URI (Uniform Resource Identifier), forms like: content://com.ebay.mobile.providers.itemcacheprovider/saved_search, organized like a database. In this case, saved_search is the table name. To query this table, we can direct use content://com.ebay.mobile.providers.itemcacheprovider/saved_search/50 to access the #50 record in table. Or use the ContentResolver.query() method supported by Android to commit the CRUD (create, read, update and delate) operations.

Android also integrated calendar and contact into the content provider, allowing developer access. However, corresponding permissions will be required.

Due to the nature of Content Provider, anyone can access it by default – neither using a third-party app or the ADB (Android Debugging Bridge) console. It is not wise to put any sensitive or permission-needed information in it.

There are overall 6 vulnerable tables in EBay’s content provider:

content://com.ebay.mobile.providers.itemcacheprovider/event
content://com.ebay.mobile.providers.itemcacheprovider/item
content://com.ebay.mobile.providers.itemcacheprovider/list
content://com.ebay.mobile.providers.itemcacheprovider/local_notifications
content://com.ebay.mobile.providers.itemcacheprovider/name_value
content://com.ebay.mobile.providers.itemcacheprovider/saved_search

 

The information is encoded with JSON. Here is the decoded contents:
Untitled2

 

To fix this vulnerability, just add “readPermission” and “writePermission” into the AndroidManifest file, which is failed to add in the original manifest file:

Screen Shot 2013-10-23 at 10.40.42 PM

 

One lesson can be learned from this case: content provider is not a private storage, set proper permission before you add sensitive information into it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s