What is the issue - Researchers detected two critical vulnerabilities in the SHAREit app that could allow attackers to download arbitrary files in victims’ devices and bypass Android device authentication.
SHAREit is a file sharing application for Windows, Android, and iOS that allows transfer of files including photos, videos, music, contacts, apps, etc.
The first vulnerability
The first vulnerability in the SHAREit app could allow attackers to download the arbitrary file dues to improper validation in msgid. msgid is a message identifier for each request that ensures download request was originally initiated by the sender.
Once a user initiates the download request from the SHAREit app, the SHAREit client will send the GET request to the HTTP server. However, the SHAREit app failed to validate ‘msgid’ parameter thereby allowing a malicious client with a valid session to download any arbitrary files.
The second vulnerability
The second critical vulnerability is an authentication bypass vulnerability that could allow allows SHAREit app to exhibit very odd behavior resulting in bypassing Android device authentication. However, to exploit this vulnerability, the exact path of the target file is required.
Two unique database files related to SHAREit app might be useful for exploitation,
The SHAREit MediaStore database contains file information such as file name, type, size, path, and more other information.
Worth noting - The critical vulnerabilities were originally discovered by researchers from REDFORCE in December 2017. REDFORCE notified the SHAREit team about the vulnerabilities in January 2018. After several attempts to contact SHAREit, the data sharing app replied in February 2018 that they will fix the issue soon.
In March 2018, SHAREit noted that the issues have been fixed. However, the researchers did not receive any update on the fix. They did not receive any information on the fixed vulnerabilities nor the assigned CVE numbers.
The researchers contacted SHAREit in January 2019 requesting for the CVE numbers. After several messages, on February 18, 2019, SHAREit team replied refusing to provide the researchers with the patched versions and CVE numbers. On February 25, 2019, REDFORCE released public disclosure.
“As seen from previous timelines and responses, communication with SHAREit team was not a good experience at all; Not only they took too long to respond to our messages, they also were not cooperative in any means and we did not feel that our work or efforts were appreciated at all,” the researchers said.