OnePlus OxygenOS Telephony Provider Permission Bypass Vulnerability Allowing Unauthorized SMS Data Access

A permission bypass vulnerability has been identified in OnePlus OxygenOS, allowing applications to access SMS and MMS data, including metadata, from the system's Telephony provider without user consent or notification. This vulnerability could compromise the security of SMS-based Multi-Factor Authentication (MFA) by silently exfiltrating SMS data. The issue arises from missing permissions for write operations in several content providers, combined with a blind SQL injection vulnerability in the update method of those providers. The vulnerability affects multiple OnePlus devices across several OxygenOS versions, with the exception of OxygenOS 11.

Impact

Exploitation of this vulnerability allows for unauthorized access to SMS and MMS data, including the interception of MFA codes, potentially undermining the security of services relying on SMS-based authentication.

Reproduction

The vulnerability can be reproduced by creating an Android application that requests no permissions to access SMS data. The app can then exploit the vulnerable content providers by sending SQL injection payloads through the update method, bypassing the normal permission requirements. This process can be automated to extract SMS data character by character, effectively reading the contents of text messages without the user's knowledge.

Remediation

As of the time of disclosure, no patch is available from OnePlus. Users can limit their exposure by uninstalling non-essential apps, reviewing SMS-based MFA services and switching to authenticator apps, using end-to-end encrypted messaging apps, or changing SMS notification services to in-app push notifications.