ZhenShi Mibro Fit App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in ZhenShi Mibro Fit App version 1.6.3.17499 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the component com.xiaoxun.xunoversea.mibrofit. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, typically for phishing purposes. Exploitation requires local access.

Impact

The vulnerability allows for task hijacking, where a malicious application can take over the task of a legitimate one, potentially leading to the theft of sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created that exploits the task hijacking flaw by setting the taskAffinity attribute to match that of the vulnerable app. Once installed, this malicious app can hijack the Mibro Fit app's task, replacing its original activity with a phishing page designed to capture personal information or prompt the user to grant additional permissions to the malicious app.

Remediation

Users can mitigate this vulnerability by updating to a version of the ZhenShi Mibro Fit App that addresses the task affinity issue in the AndroidManifest.xml. Instructions for updating the app can be found on the Google Play Store.