Ooma Office Business Phone App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the Ooma Office Business Phone App for Android, affecting versions prior to 7.2.2. This vulnerability arises from improper management of application components in the 'com.ooma.office2' package, allowing malicious apps to exploit this misconfiguration. The issue enables attackers to manipulate or take over tasks from legitimate applications, potentially leading to the theft of sensitive information such as login credentials.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task and impersonate it. This could result in significant privacy breaches, such as leaking personal information or credentials from the user to the attacker.

Reproduction

To reproduce this vulnerability, a malicious app must be created and installed on the victim's device. This app should be designed to hijack tasks from the Ooma Office app by exploiting the improper export of application components. Once the malicious app is installed, it can be used to Phish login credentials by manipulating the Ooma Office app's task.

Remediation

Users are advised to update to Ooma Office Business Phone App version 7.2.2 or later, where this vulnerability has been addressed.