ES File Explorer is a file manager application for Android mobile devices available for download in Google Play Store. This file manager application has been installed over 100,000,000 times and has over 500 million users worldwide.
A security researcher Robert Baptiste recently discovered that a hidden web server was found always running in the background of ES File Explorer application. This vulnerability in ES File Explorer could allow attackers to download files from victims’ Android mobile devices.
Robert Baptiste also known as Elliot Alderson and @fs0c131y on Twitter posted, “With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager. The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.”
CVE-2019-6447 open port vulnerability
Baptiste explained how the vulnerability (CVE-2019-6447) could allow attackers to get files from users’ mobile devices
Soon after Baptiste’s disclosure of CVE-2019-6447 vulnerability, another researcher named Lukas Stefanko spotted another local vulnerability in ES File Explorer application.
“Thanks to @fs0c131y research, I found another local vulnerability in ES File Explorer app: Man-in-the-middle attack. #MITM,” Stefanko tweeted.
Stefanko explained that this vulnerability in ES File Explorer could allow attackers to intercept ES File Explorer’s HTTP network traffic and switch it with their own. Attackers connected on the same local network can exploit this Man-In-The-Middle (MitM) security flaw which would allow them to intercept the app's HTTP network traffic and exchange it with their own.
Stefanko disclosed that all ES File Explorer versions up to 22.214.171.124.4 are affected by this Man-In-The-Middle (MitM) vulnerability.
Few more security issues
Robert Baptiste further stated that he found few more security flaws which he will disclose later. However, ES File Explorer's developers stated that fix for the HTTP vulnerability issue is already waiting for approval from Google's review team with an estimated release time of approximately two days.