Android: ES File Explorer vulnerable

Android file manager ES File Explorer has a vulnerability that put 100 Million Users' Data at Risk. A hidden web server runs always in background.


ES File Explorer is a popular Android app with more than 100 Million downloads. But that thing has a vulnerability: After the app is opened once, a hidden web server runs always in background. Anyone connected to the same local network can remotely get a file from your phone. That's what Elliot Alderson found and reported within this tweet.

Even worse: Access to files will be possible, even if the user has not granted the app any permissions on the Android device. So it's easy to exploit the vulnerability that is now tracked as CVE-2019-6447. But this isn't the only vulnerability – Elliot Alderson found more vulnerabilities within ES File Explorer app. Developer ES Global kept silent, if and when the flaws will be fixed.

A few more details may be found within this article from Bleeping Computer. For my own, I used ES File Explorer long ago (during the times of Android 1.6 and 2.x up to 4.x). But some day I discovered, that after updating the app, there was a request for many permissions (contacts, WiFi and more ressources). So I decided to dump this app from my Android devices.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *