Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client

Vulnerability

The Nextcloud Android app versions prior to 3.19.0 contain a vulnerability in the notification handling logic. An implicit PendingIntent is used, which allows any application on the device that has the POST_NOTIFICATIONS permission to access the user's contacts without the calling app needing the READ_CONTACTS permission. This occurs because the PendingIntent is not made immutable, enabling other apps to intercept and invoke it. The affected versions are all releases before 3.19.0 [1][2].

Exploitation

An attacker must have an application installed on the same Android device that has been granted the notification permission (i.e., POST_NOTIFICATIONS). The malicious app can then trigger the implicit PendingIntent exposed by the Nextcloud app, which in turn accesses the contacts database. No additional user interaction or authentication is required beyond the initial installation and permission grant [2].

Impact

Successful exploitation results in unauthorized access to the victim's contact list. The attacker gains the ability to read all contacts stored on the device that are accessible to the Nextcloud app. This is a confidentiality breach, as contact information (names, phone numbers, email addresses) is disclosed to a third-party application without the user's consent [2].

Mitigation

The vulnerability is fixed in Nextcloud Android app version 3.19.0, released on April 27, 2022. The fix involves making all PendingIntent objects immutable, preventing other apps from intercepting them [1]. Users should upgrade to version 3.19.0 or later. There are no known workarounds for this issue [2].