1&1 Mail & Media mail.com App Task Hijacking Vulnerability in Android 8.8.0

A task hijacking vulnerability has been identified in the 1&1 Mail & Media mail.com App version 8.8.0 for Android. This issue arises from an improper export of application components in the AndroidManifest.xml file, specifically within the com.mail.mobile.android.mail component. The vulnerability allows malicious applications to inherit permissions from the affected app, potentially leading to phishing attacks by manipulating user interactions and stealing sensitive information. This vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over tasks from the vulnerable app, leading to unauthorized access to permissions and sensitive user information.

Reproduction

To reproduce this vulnerability, a malicious app must be created and configured to hijack tasks from the mail.com app. This involves setting the taskAffinity attribute to match that of the mail.com app in the malicious app's AndroidManifest.xml file. Once the malicious app is installed and launched, it can hijack the mail.com app's tasks, replacing the original activity with a phishing activity designed to capture personal information from the user.

Remediation

To mitigate this vulnerability, developers should set the taskAffinity property of application activities in the AndroidManifest.xml file to an empty string or enforce a randomly generated task affinity. This prevents activities from sharing a task stack with other applications, thereby blocking potential task hijacking attacks.