InstantBits Web Video Cast App Improper Component Export Vulnerability

A vulnerability exists in the InstantBits Web Video Cast App for Android, in versions prior to 5.12.4. The issue arises from the improper export of application components, specifically within the AndroidManifest.xml file of the com.instantbits.cast.webvideo component. This misconfiguration allows for unauthorized access to exported components by other applications. The vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability leads to task hijacking, where malicious applications can inherit the permissions of vulnerable ones. This is often used to phish for login credentials from victims. The vulnerability allows for significant manipulation or takeover of tasks within the Android operating system.

Reproduction

To reproduce this vulnerability, a local application must be created that targets the InstantBits Web Video Cast App version 5.12.4 or earlier. The malicious app can then access the improperly exported components of the vulnerable app, inheriting its permissions and potentially using them to manipulate tasks or phish for sensitive information.

Remediation

No known mitigation strategies are available. It is suggested to replace the affected application with an alternative.