Android file manager ES File Explorer has a vulnerability that put 100 Million Users’ Data at Risk. A hidden web server runs always in background.
ES File Explorer is a popular Android app with more than 100 Million downloads. But that thing has a vulnerability: After the app is opened once, a hidden web server runs always in background. Anyone connected to the same local network can remotely get a file from your phone. That’s what Elliot Alderson found and reported within this tweet.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) 16. Januar 2019
Even worse: Access to files will be possible, even if the user has not granted the app any permissions on the Android device. So it’s easy to exploit the vulnerability that is now tracked as CVE-2019-6447. But this isn’t the only vulnerability – Elliot Alderson found more vulnerabilities within ES File Explorer app. Developer ES Global kept silent, if and when the flaws will be fixed.
A few more details may be found within this article from Bleeping Computer. For my own, I used ES File Explorer long ago (during the times of Android 1.6 and 2.x up to 4.x). But some day I discovered, that after updating the app, there was a request for many permissions (contacts, WiFi and more ressources). So I decided to dump this app from my Android devices.