Caixin News App Task Hijacking Vulnerability

A vulnerability allowing task hijacking has been identified in Caixin News App version 8.0.1 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the com.caixin.news component. The vulnerability requires local access to exploit and has been publicly disclosed, with the vendor unresponsive to initial reports.

Impact

Exploitation of this vulnerability allows a malicious application to hijack tasks from the Caixin News app, potentially leading to the theft of sensitive user information. This type of attack can be used to create a phishing scenario, where the user is deceived into providing personal data or granting permissions to the malicious app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches the package name of the Caixin News app. Once this app is installed and opened, it will hijack the task stack of the Caixin News app. When the victim uses the news app, they will actually be interacting with the malicious app, allowing the attacker to phish for credentials or sensitive information.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities to an empty value or enforce a random task affinity across all activities in the AndroidManifest.xml.