Two high-severity flaws were discovered in the popular SHAREit app which has more than 1.5 billion users. The app is available for Android, iOS, Windows and Mac, but the two flaws were located in the Android version which has more than 500 million users.
SHAREit Vulnerabilities: Technical Overview
The vulnerabilities could allow hackers to bypass device authentication and steal users’ files from their devices. Since the application’s purpose is to help users share their files, we can only imagine the types of sensitive and personal information that could have been endangered.
The first vulnerability allows attackers to bypass the SHAREit device authentication mechanism, and the second one enables authenticated attackers to download arbitrary files from the user’s device. The good news is that both flaws were reported to the vendor and patches are now available.
It should be noted that the vulnerabilities were first discovered in December 2017, and addressed in March 2018. However, technical details were made public just recently. The reason for the vulnerabilities to be kept secret is the vulnerabilities’ large impact and ease of execution, security experts said.
The issue with the first vulnerability is that it “occurs mainly because the application fails to validate msgid parameter enabling a malicious client with a valid session to download any resource by directly referencing its identifier,” said RedForce researchers. Furthermore, to download a file from the user’s device, all that is needed is a valid SHAREit session with this user at least once to be added to recognized devices. Then the malicious user only has to visit https://shareit_sender_ip to download the settings file for the SHAREit app.
Once this is done, any file can be downloaded from the breached device.
It should also be noted that when a user with no valid session tries to fetch a non-existing page, instead of a regular 404 page, the SHAREit app would respond with a 200 status code empty page. The app would also add the user to recognized devices, eventually authenticating an unauthorized user.
The exploit is very simple, researchers said
To exploit the vulnerability, all the attackers need to do is to send a ‘curl’ command that references the path of the target file, with the condition that the exact file location is known.
A proof of concept is also available. It’s worth mentioning that the researchers successfully downloaded about 3000 different files, or approximately 2GB of data, in less than 8 minutes.
Full technical disclosure is available in the detailed report.