By itself, this is already a vulnerability. Since Brave exposes its own private folder, /data/data//, we can order Brave to open its own cookies file, content:///root/data/data//app_chrome/Default/Cookies, to see what happens:īrave downloads binary files from content:// URLs Brave supports this too, so opening a content://URL in Brave will render the file in the browser. This is useful for opening local HTML pages or PDF files for example. Most browsers support reading content:// directly. This includes /sdcard/ as well as /data/. which means that the home directory, /, is available. I immediately saw the root folder configuration with the combination of root-path and. To configure a File Provider in Android, Brave declared the following in its AndroidManifest.xml file: Īnd in its file_paths.xml, which is where it's stored the available file information of this provider, Brave had the following: This allows files to be accessed with a content:// schemed URI. To deal with files, most Android applications use a File Provider. When researching Brave, I noticed that it was using a Content Provider that was exposing all files from the public directory as well as its private files. Introductionĭuring my research with Android applications, I found a few vulnerabilities in some of the most used browsers. The vulnerability was reported through HackerOne and took 5 months to fix. Brave for Android had a vulnerability that allowed a malicious web page to steal your cookies remotely.
0 kommentar(er)
