CVE-2023-30704

Vulnerability

The vulnerability lies in the Samsung Internet browser's Secret Mode on Android devices prior to version 22.0.0.35. An improper authorization check in the download manager component fails to require user authentication when accessing files downloaded within Secret Mode. This allows anyone with physical access to the unlocked device to browse and access the list of downloaded files that were intended to be kept private by Secret Mode.

Exploitation

An attacker must have physical possession of the victim's device and be able to unlock the screen (the device must already be unlocked, or the attacker knows the PIN/pattern/biometric). Once unlocked, the attacker can navigate to the Samsung Internet app's download history list. Without entering any additional authentication, the attacker can view and open all files previously downloaded in Secret Mode. No further credentials, such as the Secret Mode PIN, are required.

Impact

Successful exploitation leads to a breach of confidentiality. The attacker gains access to the contents of files downloaded in Secret Mode, which may include sensitive documents, images, or other private data. This violates the privacy protection that Secret Mode is designed to provide. The attacker does not gain any code execution or privilege escalation beyond the normal user context.

Mitigation

Samsung released a fix with Samsung Internet version 22.0.0.35, which enforces proper authorization checks before allowing access to Secret Mode downloads. Users should update the Samsung Internet app to this version or later via the Galaxy Store or Google Play Store. No workaround is described in the available references. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].