Session 1.17.5 - LFR via chat attachment

Vulnerability

Session version 1.17.5 contains a local file read (LFR) vulnerability exploitable through the chat attachment feature. The application fails to restrict the file paths that can be attached, allowing an attacker to read arbitrary files from the device's internal storage, including application preferences and public directories. The affected version is 1.17.5 [1][2].

Exploitation

An attacker can exploit this by crafting an intent that triggers the ShareActivity with a file:// URI pointing to a target file, such as file:///data/user/0/network.loki.messenger/shared_prefs/network.loki.messenger_preferences.xml. The attacker must have the ability to send a chat message with an attachment (user interaction is required) and the victim must open the attachment. The exploit code sets StrictMode to lax to bypass file URI restrictions [1].

Impact

Successful exploitation allows the attacker to read internal application files (e.g., shared preferences, configuration) and public files (e.g., images, downloads) from the victim's device without their consent. This leads to information disclosure of sensitive data, potentially including private keys, tokens, or personal files [1].

Mitigation

As of the advisory date, no official patch has been released for version 1.17.5. The Session Android repository has been deprecated and development has moved to a new repository [2]. Users should upgrade to the latest version available from the new repository or the Google Play Store. No workaround is documented [1].