CVE-2020-6869

Vulnerability

ZTEMarket APK versions up to and including 10.06 expose an Activity component, enabling an information leak. The component is accessible without proper permission checks. This vulnerability exists in the Android application and is identified in the ZTE advisory as affecting all versions prior to 10.07 [1].

Exploitation

An attacker with local access to the device (i.e., the ability to launch activities on the affected application) can exploit the exposed Activity component to retrieve private cookies. The attack requires the user to have the ZTEMarket app installed. No other special privileges or user interaction beyond launching the malicious intent is needed [1].

Impact

Successful exploitation allows the attacker to obtain private cookies, leading to information disclosure of session data. Additionally, the attacker can execute silent installation of applications without the user's consent, which compromises the integrity and confidentiality of the device [1].

Mitigation

The vulnerability is fixed in ZTEMarket APK version 10.07, released according to the vendor's security bulletin on June 17, 2020. Users are advised to update to version 10.07 or later. No workarounds are provided for older versions [1].