Verkehrsauskunft Österreich SmartRide, cleVVVer and BusBahnBim Task Hijacking Vulnerability

A task hijacking vulnerability has been identified in Verkehrsauskunft Österreich SmartRide, cleVVVer, and BusBahnBim versions through 12.1.1(258). This vulnerability arises from an improper export of Android application components, allowing malicious apps to inherit permissions from vulnerable ones. The issue is rooted in the AndroidManifest.xml file, where the taskAffinity attribute is not properly set, enabling phishing attacks by manipulating how tasks are handled in Android. This vulnerability affects all Android versions prior to Android 11 and must be exploited locally.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious application can take over a legitimate one, inheriting its permissions and potentially leading to the theft of sensitive information from the user.

Reproduction

To reproduce this vulnerability, download a malicious app that exploits the task hijacking flaw. Once the app is installed, use it to initiate a phishing attack by hijacking a legitimate app's task. The malicious app will then be able to access the user's personal information under the guise of the legitimate application.

Remediation

Users are advised to upgrade to Verkehrsauskunft Österreich SmartRide, cleVVVer, or BusBahnBim version 12.1.2(259) to address this vulnerability.