bsc Peru Cocktails App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in bsc Peru Cocktails App version 1.0.0 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the bsc.devy.peru_cocktails component. The vulnerability allows malicious applications to inherit permissions from the affected app, potentially leading to phishing attacks by manipulating or taking over tasks on the device. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over a legitimate app's task and permissions. This could be used to phish for sensitive information from the user or to manipulate the user into granting additional permissions to the malicious app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity value that matches the package name of the target app. Once installed, the malicious app can hijack the task of the legitimate app, replacing its activity with a phishing interface designed to capture sensitive user information.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities to an empty value or configure it to enforce a random task affinity across all activities in the application.