WARP client manifest misconfiguration leading to Task Hijacking

Vulnerability

The Cloudflare WARP Android client prior to version 2022.12.476.0 contains a task hijacking vulnerability caused by a misconfiguration in the Android manifest file [1]. This allows a malicious application to intercept the legitimate app's task, as the manifest does not properly restrict which activities can be launched by external apps.

Exploitation

An attacker must create a malicious Android application that registers an intent filter matching the WARP client's activity. The victim must install this malicious app on their device. No additional network access or authentication is required. When the victim launches the legitimate WARP app, the malicious app can hijack the task, potentially capturing the user's interaction and any data displayed.

Impact

Successful exploitation enables the attacker to steal potentially sensitive information that the WARP client displays or processes, such as authentication tokens or personal data. The compromise is limited to information disclosure; the attacker does not gain remote code execution or persistent access beyond the hijacked session.

Mitigation

Upgrade the Cloudflare WARP Android client to version 2022.12.476.0 or later, which contains the fix [1]. No workaround is available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.