Kakao Hey Kakao App Task Hijacking Vulnerability in com.kakao.i.connect Component

A task hijacking vulnerability has been identified in the Kakao Hey Kakao App, specifically in versions through 2.17.4 on Android. The issue arises from an improper configuration in the AndroidManifest.xml file of the com.kakao.i.connect component, which allows for the incorrect export of application components. This vulnerability can be exploited by malicious applications to inherit permissions from the affected app, potentially leading to the phishing of sensitive information such as login credentials. The vulnerability affects all Android versions prior to Android 11.

Impact

Exploitation of this vulnerability allows for task hijacking, where a malicious app can take over the task of a legitimate app, misleading the user and potentially stealing sensitive information.

Reproduction

To reproduce this vulnerability, a malicious app must be created with a task affinity that matches that of the Kakao Hey Kakao App. Once this app is installed on a device, it can hijack the task of the Kakao app by exploiting the improper export of application components. This can be demonstrated by using the malicious app to initiate a task that then takes over the Kakao app, replacing its original activity with that of the malicious app.

Remediation

Users can mitigate this vulnerability by updating to a version of the Kakao Hey Kakao App that is later than 2.17.4. Additionally, developers should ensure that the taskAffinity property in the AndroidManifest.xml file is properly configured to prevent such hijacking attacks.