Freedom Factory dGEN1 Improper Authorization Vulnerability in Wallet Application

A broken authorization vulnerability has been identified in the Freedom Factory dGEN1 phone, specifically in the wallet application package 'org.ethereumphone.walletmanager.testing123'. This vulnerability arises from an exported ContentProvider, 'TokenBalanceContentProvider', which exposes user wallet balance data without proper read permissions or caller validation. As a result, any unprivileged local application can access and enumerate a user's token balances. This data can be cross-referenced with blockchain information to infer the user's wallet address and on-chain holdings, leading to a privacy breach.

Impact

Exploitation of this vulnerability allows a local application to access sensitive financial data, including ERC-20 token balances across different chains, without any authorization. This information can be used to identify high-value tokens, profile financial activity, and deanonymize blockchain identities, potentially leading to targeted phishing or social engineering attacks.

Reproduction

The vulnerability can be reproduced by querying the exposed ContentProvider for wallet balances using the Android Debug Bridge (ADB) shell. The command 'adb shell content query --uri "content://com.walletmanager.tokenbalance.provider/balances/positive"' can be used to retrieve the token balance data, which will include details such as contract addresses, chain IDs, and token balances. No special permissions are required to access this information.

Remediation

To address this vulnerability, it is recommended to define and enforce a read permission with signature protection, validate callers using the calling UID and package verification, and restrict the provider export if external access is not needed. Additionally, sensitive balance metadata should not be exposed through globally accessible inter-process communication interfaces.