BuzzFeed App Task Hijacking Vulnerability in Android 2024.9

A task hijacking vulnerability has been identified in the BuzzFeed App version 2024.9 on Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the com.buzzfeed.android component. The vulnerability allows malicious apps to inherit permissions from vulnerable ones, potentially leading to phishing attacks by manipulating or taking over tasks in Android. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate app's task, leading to unauthorized access to the legitimate app's permissions and data. This could be used to phish for sensitive information from the user.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches that of the BuzzFeed app. Once this app is installed on a device, it can hijack the BuzzFeed app's task when both are used in conjunction, effectively replacing the BuzzFeed app's activity with that of the malicious app. This can be demonstrated by downloading the malicious app, using it to hijack the BuzzFeed app's task, and then observing how the BuzzFeed app is replaced by the malicious app's activity.

Remediation

To mitigate this vulnerability, the taskAffinity property of the application's activities should be set to an empty value in the AndroidManifest.xml file. This will force the activities to use a randomly generated task affinity, preventing the hijacking attack.