In the early days of Android, ES File Explorer was one of the better ways to manage your storage. That hasn’t been true for a long time, though. Not only is the app rather cluttered and buggy, security researcher Elliot Alderson (@fs0c131y on Twitter) points out this app makes your files vulnerable to theft. All you have to do is open it once.
According to Alderson, ES File Explorer launches an HTTP server on port 59777. This leaves your phone wide open to anyone on the local network with enough knowledge to exploit it. An attacker can use that port to inject a JSON payload. They can get information about the apps and files you have, and then it’s a simple matter to download your data over the network. I have no way of knowing this, but it seems like this may be related to the app’s file sharing feature. See below for a video demo.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN— Elliot Alderson (@fs0c131y) January 16, 2019
ES File Explorer has north of 100 million downloads, so that could mean a lot of vulnerable devices out there. Thankfully, the attack only works over local networks. It’s a good idea in general not to be on a network with untrusted people and devices, but this really drives the point home. Alderson says the vulnerability is in v4.1.9.7.4 and lower, and the Play Store page lists the same build. So, you aren’t even safe on the latest version. There’s no word from the developers yet, but ES File Explorer is still actively developed. Presumably, an update is forthcoming.
We reached out to the ES File Explorer devs to try and get their side of the story, or at least find out if steps were being taken to eliminate this vulnerability. Sure enough, the devs claim to be on top of this and have come up with a fix:
“We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review.”
The most recent build in the Play Store is still the v4.1.9.7.4 one released this past Monday, so that review is apparently ongoing. Hopefully we’ll see the fix land shortly.
Be the first to comment