With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.

The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://www.youtube.com/watch?v=z6hfgnPNBRE …

Technically, everytime a user is launching the app, a HTTP server is started. This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target

You can find the proof of concept on this Github repo https://github.com/fs0c131y/ESFileExplorerOpenPortVuln …

To sum up, an attacker connected on the same local network can remotely:

- get a file from your phone

- list all the apps installed on your phone

- list all your videos, images, audio files

Worth to say, I'm convinced this "feature" has been implemented by design. Imagine a scenario: I'm Chinese, I have ES File Explorer installed on my phone. I'm on the subway and I used to connect to the public wifi. "The authorities" can use this "feature" against me.





As always, excellent article by @zackwhittaker https://techcrunch.com/2019/01/16/android-app-es-file-explorer-expose-data/ …

I did a commit to fix a small issue on my script. If you have a problem with the script or have some improvements don't hesitate to contact me or to send a pull request! https://github.com/fs0c131y/ESFileExplorerOpenPortVuln …

I love the #infosec community! The awesome @LukasStefanko found that ES File Explorer is vulnerable to a MITM attack 😅

Did I tell you that I found 2 others vulnerabilities in ES File Explorer? But I will keep them for another day

I'm a mysterious security researcher 😂

You can follow @fs0c131y.

Share this thread

Bookmark

____

Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.



Enjoy Threader? Sign up.



Since you’re here...



... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.



Download Threader on iOS.