Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.
Technical Description
- Performed on Android 13 aarch64 - Samsung (Galaxy Tab A7 Lite)
- Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device.
- The target Activity is exported true. Which means any application may interact with it, given that permissions are provided.
- The attacking host needs to attach the device email to the application; then the account can be used by the application.
The PandoraEntry activity is exported (android:exported="true")
and processes external intents without validation. Below is
the PandoraEntryActivity code:
protected void onCreate(Bundle bundle) {
// ... INITALIZATION CODE ... super.onCreate(bundle);
// BELOW EXTERNAL INTENT ACCEPTED WITHOUT VALIDATION Intent
intent = getIntent();
// ... PROCESSING CONTINUES WITH UNVALIDATED INTENT ...
if (intent.hasExtra(IntentConst.START_FROM_TO_CLASS) &&
SDK.isUniMPSDK()) {
String stringExtra =
intent.getStringExtra(IntentConst.START_FROM_TO_CLASS);
if (!TextUtils.isEmpty(stringExtra) &&
stringExtra.startsWith("io.dcloud.feature.sdk.multi")) {
intent.setClassName(getPackageName(), stringExtra);
intent.removeExtra(IntentConst.START_FROM_TO_CLASS);
}
} else {
intent.putExtra(IntentConst.WEBAPP_SHORT_CUT_CLASS_NAME,
PandoraEntry.class.getName()); intent.setClass(this,
PandoraEntryActivity.class);
}
//UNVALIDATED INTENT FORWARDED startActivity(intent);
overridePendingTransition(0, 0);
}Mitigation and Remediation Recommendation
No response from vendor. There are no known mitigations to end-users of the affected application version(s).
Credit
This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.
Proof of Concept
URL: https://www.korelogic.com/advisories/KL-001-2026-001.poc.js.txt
SHA256sum: ddb3c840c94b204fbbe2931a68771ae28d8ea9c778310cfa83e218a64a41ffd5
The contents of this advisory are copyright(c) 2026 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Disclosure Timeline
KoreLogic requests security contact from vendor via weizhengsl@vip.qq.com and 277517409@qq.com.
KoreLogic submits vulnerability details to vendor via weizhengsl@vip.qq.com and 277517409@qq.com.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.