CVE-2023-26316

Vulnerability

The Xiaomi cloud service Application product contains a cross-site scripting (XSS) vulnerability. The bug arises from the Webview's whitelist checking function, which improperly permits the javascript: protocol to be loaded. This enables an attacker to inject malicious JavaScript code into the Webview context. Affected versions include the Xiaomi cloud service app as described in the advisory [1].

Exploitation

An attacker needs to craft a URL with the javascript: scheme and deliver it to the victim, typically via phishing or by embedding in a third-party site that the app renders. No special network position or authentication is required; the victim simply must open the malicious link in the affected app. The sequence: the attacker constructs a payload URL, the victim clicks it, the Webview loads the javascript: URI, and the injected script executes within the app's session, stealing cookies or other sensitive data.

Impact

Successful exploitation leads to theft of Xiaomi cloud service account cookies. The attacker gains unauthorized access to the victim's cloud account, enabling data exfiltration, account manipulation, or further attacks. The compromise occurs within the app's security context, with the attacker obtaining cookie-level access.

Mitigation

As of the advisory publication date (2023-08-02), Xiaomi has not yet disclosed a specific fix. The advisory [1] states that the vulnerability is being investigated and a solution will be provided in a future update. No workaround is currently available. Users should monitor official Xiaomi channels for patch announcements and avoid clicking untrusted links in the app until a fix is released.