Euro Information CIC Banque et Compte en Ligne App Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Euro Information CIC Banque et Compte en Ligne App version 12.56.0 for Android. This vulnerability arises from an improper export of application components in the AndroidManifest.xml file of the component com.cic_prod.bad. The issue allows malicious applications to inherit permissions from vulnerable ones, potentially leading to phishing attacks by manipulating or taking over tasks within the Android environment. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over a legitimate app's task and permissions. This could be used to phish for sensitive information, such as login credentials, by creating a deceptive interface that appears to be the legitimate app.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches the vulnerable app's package name. Once installed, the malicious app can hijack the task of the legitimate app, leading to a phishing scenario where the user is deceived into entering personal information.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml file to an empty value or enforce a random task affinity for all activities.