Yeelink Yeelight App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in the Yeelink Yeelight App for Android, versions up to 3.5.4. This vulnerability arises from an improper export of application components in the AndroidManifest.xml file of the com.yeelight.cherry component. The misconfiguration allows malicious apps to inherit permissions from vulnerable apps, potentially leading to phishing attacks where sensitive login credentials could be stolen. The vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, inheriting its permissions. This could be used to create a phishing scenario, deceiving users into entering personal information while believing they are interacting with a trusted application.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity that matches the package name of the target app. Once installed, this malicious app can hijack the task of the Yeelight app, redirecting the user to a phishing activity designed to capture sensitive information.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml to a randomly generated value or enforce a specific task affinity that does not align with the default package name.