yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

Vulnerability Description

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

Technical Description

• Performed on Android 13 aarch64 - Samsung (Galaxy Tab A7 Lite)
• Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device.
• The target Activity is exported true. Which means any application may interact with it, given that permissions are provided.
• The attacking host needs to attach the device email to the application; then the account can be used by the application.

The PandoraEntry activity is exported (android:exported="true") and processes external intents without validation. Below is the PandoraEntryActivity code:

  protected void onCreate(Bundle bundle) {
      // ... INITALIZATION CODE ...  super.onCreate(bundle);

      // BELOW EXTERNAL INTENT ACCEPTED WITHOUT VALIDATION Intent
      intent = getIntent();

      // ... PROCESSING CONTINUES WITH UNVALIDATED INTENT ...
      if (intent.hasExtra(IntentConst.START_FROM_TO_CLASS) &&
      SDK.isUniMPSDK()) {
          String stringExtra =
          intent.getStringExtra(IntentConst.START_FROM_TO_CLASS);
          if (!TextUtils.isEmpty(stringExtra) &&
          stringExtra.startsWith("io.dcloud.feature.sdk.multi")) {
              intent.setClassName(getPackageName(), stringExtra);
              intent.removeExtra(IntentConst.START_FROM_TO_CLASS);
          }
      } else {
          intent.putExtra(IntentConst.WEBAPP_SHORT_CUT_CLASS_NAME,
          PandoraEntry.class.getName()); intent.setClass(this,
          PandoraEntryActivity.class);
      }

      //UNVALIDATED INTENT FORWARDED startActivity(intent);
      overridePendingTransition(0, 0);
  }

Mitigation and Remediation Recommendation

No response from vendor. There are no known mitigations to end-users of the affected application version(s).

Credit

This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.

Proof of Concept

URL: https://www.korelogic.com/advisories/KL-001-2026-001.poc.js.txt

SHA256sum: ddb3c840c94b204fbbe2931a68771ae28d8ea9c778310cfa83e218a64a41ffd5

The contents of this advisory are copyright(c) 2026 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy