TVB Big Big Shop App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in TVB Big Big Shop App version 2.9.0 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file of the hk.com.tvb.bigbigshop component. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, potentially leading to phishing attacks by manipulating or taking over tasks on the device. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate one, inheriting its permissions and potentially leading to the theft of sensitive information. This misconfiguration in the Android manifest file creates a significant security risk by allowing unauthorized access to application components.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a taskAffinity value that matches that of the vulnerable app. Once installed, the malicious app can hijack tasks from the legitimate app, Phishing activities can then be conducted under the guise of the legitimate application.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to an empty value or configured to enforce a randomly generated task affinity. This adjustment can be made in the AndroidManifest.xml file.