Data sharing apps like SHAREit and Xender have transformed the way files are shared, since their release a few years ago. The apps transfer files over wifi which is much faster compared to sending files using Bluetooth.
However, a recent report by Threat Post disclosed two major vulnerabilities in the popular file sharing app, SHAREit, which has over 500 million users the world over.
The bugs, discovered by researchers at Redforce, allowed attackers to bypass app authentication mechanism and provided access to files as well as Facebook token and cookie data.
Found in December 2017 the vulnerabilities were fixed by March 2018 and had a CVSS 3.0 score of 8.2 indicating high-severity.
The vulnerability in the application remained a closely guarded secret until recently because it could have had a huge impact on users owing to big attack surface and easy to exploit nature.
Researcher Abdulrahman Nour, states: “We wanted to give as many people as we can the time to update and patch their devices before making the critical vulnerability common knowledge.”
In order to exploit the vulnerability, attackers on the same WiFi network as a victim would check if the victim’s device was running a SHAREit server. This could be easily determined by checking if two ports 55283 and 2999 were open.
Port 55283 is used by the application to send and receive messages including file transfer requests and device identification. The former is the applications HTTP server implementation and was used by clients to download shared files.
The researchers discovered that once a SHAREit user was identified, attackers could add themselves to the victims trusted devices list by simply sending a request that attempted to fetch a non-existent page.
This could be done simply by using – [curl http://shareit_sender_ip:2999/DontExist] which is one of the simplest authentication bypass methods we have seen.
The application responded to unauthenticated users trying to fetch a non-existing page by adding them to recognized devices and showing a 200 status code.
The flaw was caused due to the application failing to validate the msgid parameter —a unique identifier that ensures that sharing requests are initiated by senders.
This meant that attackers could download files and gain access to auto-fill data, Amazon web-service user key and the victim’s hotspot info in plain-text by using a simple curl command.
SHAREit patched the vulnerability in March 2018 but did not provide researchers with a patched version of the application or vulnerability CVE numbers. The company did not cooperate with the team and took their sweet time in responding to messages.
This callous attitude of the company left researchers at Redforce feeling unappreciated for their efforts. The question remains, Is SHAREit still the best way to share files?
