Stoat for Android Improper URI Validation in Exported ShareTargetActivity Component Leading to Internal File Disclosure

Vulnerability

A vulnerability in Stoat for Android versions prior to 1.6.0 allows for improper validation of URIs in an exported activity. The ShareTargetActivity component, accessible to any process on the device via the SEND intent, accepts file URIs pointing to the application's internal storage, such as databases, cached authentication tokens, or preferences. This lack of validation enables an attacker to exploit the activity, causing the victim to unintentionally share sensitive internal files as attachments in Stoat channels or with specific users. The shared files could include the local Stoat database, authentication tokens for account takeover, or any other file readable by the app process.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive internal application data, including message history, contact lists, cached content, and authentication tokens, allowing for full account takeover.

Reproduction

The vulnerability can be reproduced by invoking the ShareTargetActivity with a file URI that points to the application's internal storage. This can be done through ADB commands, by using a co-installed malicious application, or any other method that can send intents to the ShareTargetActivity. Once the activity is launched with the malicious URI, the victim only needs to select a channel or user to complete the process of sharing the internal file.

Remediation

The vulnerability has been patched in Stoat for Android version 1.6.0.

Added: Jul 18, 2026, 8:22 PM
Updated: Jul 18, 2026, 8:22 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.3
remediation
0.0
relevance
10.0
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.