Friday, January 18, 2019

A Vulnerability in ES File Explorer Exposes All of Your Files to Anyone on the Same Network

For the longest time, ES File Explorer was the de facto file manager on Android. As time has gone on, however, it’s proven to be less trustworthy. A recent vulnerability reminds us why there are better choices now.

As reported by Android Police, there’s a new vulnerability in ES that exposes your files to anyone on the same network—you only need to open the app once. This bug was found by researching Elliot Alderson, who posted about it on Twitter.

Apparently, ES leaves port 59777 open on your phone after it’s launched, giving anyone on the same network access to the file structure and beyond. An attacker can use that open port to inject a JSON payload, then get access to—and download—all of your info.

The upside is that the ES team knows about the issue and says it’s been fixed, with an update incoming:

We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review.

Still, given ES’ rocky history, this is just another opportunity to remind everyone there are better options out there. If you insist on using ES, I would at least suggestion steering clear of it until the update that fixes this bug is available in the Play Store.

via Android Police

No comments:

Post a Comment