According to Threat Post, It has two flaws which give hackers the full gain access.
Sharing files over the wifi was really a revolutionary way that surpasses the Bluetooth. Share it and Xender brought a tremendous change in the speed of sharing files. Now no more waiting for the long hours to share single or multiple files. But what if these apps fail in privacy matters or compromises with your security.
Recent flaws in world most used sharing app could lead to the privacy of users.
REDFORCE (an information security consultancy firm consists of a team of experts in the offensive security field) discovered that bugs can bypass the app authentication system, access files, Facebook token, and cookies as well.
What ‘s shocking about the threat is that it was discovered in DECEMBER 2017 but even after the bug disclosed the company discloses the news CVSS 3.0 score of 8.2 (High-Severity), in front of users as it could lead to their downfall of user rating. THOUGH the company fixed the BUG in 2018.
We wanted to give as many people as we can the time to update and patch their devices before making the critical vulnerability common knowledge,” said Abdulrahman Nour, a researcher at REDFORCE.
Hackers could easily check whether the user phone is active or not due to the same Share it server. They can easily do this by checking these designated ports: Port 55283 and Port 2999.
Though the company described the ports are used for different purposes.
Port 55283 is used for device identification, handling file transfer requests and to send or receive messages. While the other Port 2999 is the app’s HTTP server and used by clients to download shared files.
Though the attackers could easily infiltrate into the user’s phone by simple URL
and sends the request to act as if they are attempting to gather non-existing page. But in reality, they try to add themselves to the victim’s trusted devices list.
‘MSGID’ parameter which is a unique identifier to ensure that file sharing request are initiated by the sender. The main flaw of Share It is that they have failed to validate it.DUe to which when an unknown user tries to infiltrate into someone ‘s phone the device server automatically add it to list of recognized devices with status code 200.
This comes in hand for the attackers to violate the security concerns without being noticed. They could easily download all the private videos, autofill data, hotspot info, and even AMAZON web service user key and also can download unwanted files on PC.
Though the company patched the vulnerability in March 2018
but they didn’t provide any resources(CVE NUMBER OR PATCHED VERSION OF APPLICATION ) to the researchers. They didn’t cooperate with the researchers at REDFORCE LAB and didn’t provide them with any information regarding it.