https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Framer Preview
Vendor URL:
https://play.google.com/store/apps/details?id=com.framerjs.android
Type: Improper Export of Android Application Components
[CWE-926]
Date found: 2020-09-06
Date published: 2020-09-22
CVSSv3 Score: 5.5
(CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVE: CVE-2020-25203
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens
from
RCE Security.
3. VERSIONS AFFECTED
====================
Framer Preview 12
4. INTRODUCTION
===============
Framer Preview is the best way to view and interact with your
Framer X and Framer
Classic projects on Android phones and tablets.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The "Framer Preview" app for Android exposes an activity to other
apps called
"com.framer.viewer.FramerViewActivity". The purpose of this
activity is to show
contents of a given URL via an fullscreen overlay to the app
user.
However, the app does neither enforce any authorization schema
on the activity
nor does it validate the given URL.
This can be abused by an attacker (malicious app) to load any
website/web content
into the fullscreen overlay. An exemplary exploit could look like
the following:
Intent i = new Intent();
i.setComponent(new ComponentName("com.framerjs.android",
"com.framer.viewer.FramerViewActivity"));
i.setAction("android.intent.action.VIEW");
i.setData(Uri.parse("https://www.rcesecurity.com"));
startActivity(i);
6. RISK
=======
A malicious app on the same device is able to exploit this
vulnerability to lead
the user to any webpage/content. The specific problem here is the
assumed trust
boundary between the user having the Framer Preview app installed
and what the app
is actually doing/displaying to the user. So if the user sees the
app being
loaded and automatically loading another page, it can be assumed
that the loaded
page is also trusted by the user.
7. SOLUTION
===========
-
8. REPORT TIMELINE
==================
2020-09-06: Discovery of the vulnerability
2020-09-06: CVE requested from MITRE
2020-09-07: Contacted vendor via their security@, no response
2020-09-08: MITRE assigns CVE-2020-25203
2020-09-09: Informed vendor about the CVE assignment, no
response
2020-09-22: Public disclosure due to unresponsive vendor
9. REFERENCES
=============
-
Read more https://packetstormsecurity.com/files/159264/framerpreview-inject.txt