CVE-2018-3987
An exploitable information disclosure vulnerability exists in the “Secret Chats” functionality of Rakuten Viber on Android 9.3.0.6. The “Secret Chats” functionality allows a user to delete all traces of a chat either by using a time trigger or by direct request. There is a bug in this functionality which leaves behind photos taken and shared on the secret chats, even after the chats are deleted. These photos will be stored in the device and accessible to all applications installed on the Android device.
Rakuten Viber Android 9.3.0.6
4.2 - CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CWE-359: Exposure of Private Information (‘Privacy Violation’)
When a user takes a picture to send over a secret chat, a copy of that photo will remain on the Android filesystem even after the user deletes the chat. Or even if the chat is self-destructed.
The problem lies in the way Viber takes the photo upon user request. The class com.viber.voip.util.aj contains the code that takes the photo:
a var1 = new a(); var1.b = cq.h.a(var0, (String)null, false); if (var1.b != null) { var1.b = c.a(var1.b, var0, “com.viber.voip.provider.file”); « Path to safe photo }
if (n.b(true) && n.a(true)) { ArrayList var2 = new ArrayList(); Intent var3 = new Intent(“android.media.action.IMAGE_CAPTURE”); « Intent Creation var3.putExtra(“output”, var1.b); ViberActionRunner.a(var0, var3, var1.b); var2.add(var3); var1.a = Intent.createChooser((new Intent()).setType(“image/*”).setAction(“android.intent.action.PICK”), ViberApplication.getInstance().getString(2131822644));
var1.a.putExtra("android.intent.extra.INITIAL_INTENTS", (Parcelable[])var2.toArray(new Parcelable[0])); }
Viber uses the intent “android.media.action.IMAGE_CAPTURE” to take the photo. This means that the photo is actually taken by the application that is registered to act upon this action. Although Viber passes the path to save the picture it doesn’t control what the application does with the photo.
In most cases, the native camera application will save the photo on the Android file system next to saving the picture to the path passed by Viber.
This means that when a secret chat is deleted, Viber deletes the photo which resides in the path it provided to Mediastore, but not the one saved by the native camera application.
In order to avoid this issue Viber should implement its own photo taking code using the Camera2 class (Camera class could also be used but it as been deprecated on API level 21). This way the application can ensure that the photo data is not saved by a third party application.
2018-09-05 - Vendor Disclosure 2019-02-07 - Public Release
Discovered by Vitor Ventura of Cisco Talos