CVE-2023-29747
CVE-2023-29747
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Story Saver for Instragram - Video Downloader 1.0.6 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions.
Comprehensive Technical Analysis of CVE-2023-29747
CVE ID: CVE-2023-29747 CVSS Score: 9.8 (Critical) Affected Software: Story Saver for Instagram - Video Downloader (v1.0.6 for Android) Vulnerability Type: Exposed Component with SharedPreference Manipulation
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2023-29747 describes an exposed component vulnerability in Story Saver for Instagram - Video Downloader (v1.0.6), where an attacker can modify arbitrary SharedPreference files within the application. SharedPreferences in Android are XML-based key-value storage mechanisms used to persist application settings, user preferences, and sensitive data (e.g., authentication tokens, API keys, or configuration flags).
Severity Justification (CVSS 9.8 - Critical)
The CVSS v3.1 scoring breakdown is as follows:
| Metric | Score | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely without physical access. |
| Attack Complexity (AC) | Low | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None | No privileges needed; unauthenticated attackers can exploit. |
| User Interaction (UI) | None | No user interaction required. |
| Scope (S) | Unchanged | Impact is confined to the vulnerable application. |
| Confidentiality (C) | High | Attacker can read/modify sensitive data (e.g., tokens, credentials). |
| Integrity (I) | High | Attacker can manipulate application behavior (e.g., ad fraud, privilege escalation). |
| Availability (A) | High | Potential for DoS via corrupted SharedPreferences. |
Resulting CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Key Risk Factors
- Unauthenticated Remote Exploitation: No user interaction or privileges required.
- Data Tampering: Attackers can modify critical application data (e.g., authentication tokens, API keys, or ad-related configurations).
- Secondary Exploits: Could enable privilege escalation, ad fraud, or session hijacking if SharedPreferences store sensitive data.
- Low Exploitation Complexity: Publicly available PoC (Proof of Concept) increases risk of mass exploitation.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
The vulnerability stems from an exposed Android component (likely an Activity, Service, or BroadcastReceiver) that provides an unintended interface to modify SharedPreference files. Attackers can exploit this via:
A. Direct Intent-Based Exploitation
-
Identify the Exposed Component:
- Reverse-engineer the APK (e.g., using JADX, Apktool, or Frida) to locate the vulnerable component.
- Example vulnerable component (hypothetical):
public class SharedPrefModifierActivity extends Activity { public void modifySharedPref(String fileName, String key, String value) { SharedPreferences prefs = getSharedPreferences(fileName, MODE_PRIVATE); prefs.edit().putString(key, value).apply(); } } - The component may be exported (i.e.,
android:exported="true"inAndroidManifest.xml), allowing external apps to invoke it.
-
Craft a Malicious Intent:
- An attacker sends an Intent to the vulnerable component with parameters to modify a SharedPreference file.
- Example (using
adbor a malicious app):adb shell am start -n com.storysaver/.SharedPrefModifierActivity \ --es fileName "com.storysaver.prefs" \ --es key "auth_token" \ --es value "malicious_token"
-
Modify Critical Data:
- If the app stores authentication tokens, API keys, or ad identifiers in SharedPreferences, the attacker can:
- Hijack user sessions (if tokens are stored insecurely).
- Disable ads (if ad-related flags are manipulated).
- Escalate privileges (if admin flags are stored in SharedPreferences).
- If the app stores authentication tokens, API keys, or ad identifiers in SharedPreferences, the attacker can:
B. Indirect Exploitation via Malicious App
- A malicious app installed on the same device can:
- Discover the vulnerable component via
PackageManager. - Send Intents to modify SharedPreferences without user interaction.
- Exfiltrate sensitive data if the app reads manipulated SharedPreferences.
- Discover the vulnerable component via
C. Remote Exploitation (If Component is Network-Exposed)
- If the vulnerable component is bound to a network service (e.g., via AIDL or a local socket), remote attackers could exploit it over the internet.
- Unlikely in this case, but possible if the app implements improper IPC (Inter-Process Communication).
3. Affected Systems & Software Versions
Vulnerable Software
- Application: Story Saver for Instagram - Video Downloader
- Version: 1.0.6 (and potentially earlier versions if the same component exists).
- Platform: Android (all versions, as the vulnerability is app-specific).
- Package Name:
story.saver.downloader.photo.video.repost.byrk(as per APK sources).
Verification Steps
- Check Installed Version:
adb shell dumpsys package story.saver.downloader | grep versionName - Reverse-Engineer the APK:
- Decompile the APK to verify the presence of an exported component that modifies SharedPreferences.
- Check
AndroidManifest.xmlfor:<activity android:name=".SharedPrefModifierActivity" android:exported="true" />
4. Recommended Mitigation Strategies
Immediate Remediation (For Developers)
-
Remove or Secure the Exposed Component:
- Set
android:exported="false"for all components unless explicitly required. - Remove the vulnerable method if it serves no legitimate purpose.
- Implement proper permission checks (e.g.,
android:permission) if the component must remain exported.
- Set
-
Secure SharedPreferences Usage:
- Avoid storing sensitive data (e.g., tokens, passwords) in SharedPreferences.
- Use
MODE_PRIVATE(default) and encrypt sensitive values (e.g., using Android Keystore or AES). - Validate SharedPreference data before use to detect tampering.
-
Update & Patch:
- Release a patched version (v1.0.7+) with the vulnerability fixed.
- Notify users via in-app alerts or Google Play Store updates.
Mitigation for End Users
- Uninstall the Vulnerable App:
- Users should remove Story Saver for Instagram - Video Downloader v1.0.6 until a patched version is available.
- Use Alternative Apps:
- Switch to trusted Instagram downloaders with a clean security track record.
- Monitor for Suspicious Activity:
- Check for unexpected ad behavior, session hijacking, or unauthorized access.
Mitigation for Enterprises & Security Teams
- Mobile Threat Defense (MTD):
- Deploy MTD solutions (e.g., Zimperium, Lookout, or Microsoft Defender for Endpoint) to detect and block exploitation attempts.
- Application Vetting:
- Use mobile app security testing tools (e.g., MobSF, QARK, or NowSecure) to identify similar vulnerabilities in other apps.
- Network Monitoring:
- Detect anomalous Intent-based IPC traffic between apps.
- User Education:
- Warn users about sideloading apps from untrusted sources (e.g., APK mirrors).
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Increased Risk of Mobile Malware:
- This vulnerability lowers the barrier for mobile malware by enabling privilege escalation and data tampering without root access.
- Could be chained with other exploits (e.g., CVE-2023-20963 for local privilege escalation).
-
Ad Fraud & Financial Impact:
- Attackers can manipulate ad-related SharedPreferences to:
- Disable ads (hurting app revenue).
- Inject malicious ads (leading to malvertising).
- Fake ad impressions (costing advertisers money).
- Attackers can manipulate ad-related SharedPreferences to:
-
Supply Chain Risks:
- If the app is pre-installed on devices (e.g., via OEM partnerships), the vulnerability could affect millions of users.
- Third-party libraries used by the app may introduce additional risks.
-
Regulatory & Compliance Risks:
- GDPR/CCPA violations if sensitive user data is exposed.
- Google Play Store policy violations (if the app is found to be insecure).
Historical Context
- Similar vulnerabilities have been exploited in the past:
- CVE-2021-0316 (Android SharedPreferences race condition).
- CVE-2020-0069 (Exposed component in Samsung Knox).
- PoC availability (as seen in the GitHub reference) accelerates exploitation by script kiddies and APT groups.
6. Technical Details for Security Professionals
Deep Dive: Exploitation & Forensic Analysis
A. Reverse Engineering the Vulnerable App
-
Extract & Decompile the APK:
apktool d story_saver.apk -o decompiled_app jadx-gui story_saver.apk -
Locate the Vulnerable Component:
- Search for exported components in
AndroidManifest.xml:<activity android:name=".SharedPrefModifierActivity" android:exported="true" /> - Analyze the component’s code for SharedPreferences manipulation:
public void modifySharedPref(String fileName, String key, String value) { SharedPreferences prefs = getSharedPreferences(fileName, Context.MODE_PRIVATE); prefs.edit().putString(key, value).commit(); // Vulnerable! }
- Search for exported components in
-
Identify Sensitive SharedPreferences:
- Common sensitive files:
com.storysaver.prefscom.storysaver.authcom.storysaver.config
- Common sensitive files:
B. Exploitation Proof of Concept (PoC)
- Using ADB to Trigger the Vulnerability:
adb shell am start -n story.saver.downloader/.SharedPrefModifierActivity \ --es fileName "com.storysaver.prefs" \ --es key "is_premium_user" \ --es value "true" - Using a Malicious App:
- A malicious app can send the same Intent programmatically:
Intent intent = new Intent(); intent.setComponent(new ComponentName("story.saver.downloader", "story.saver.downloader.SharedPrefModifierActivity")); intent.putExtra("fileName", "com.storysaver.prefs"); intent.putExtra("key", "auth_token"); intent.putExtra("value", "hacked_token_123"); startActivity(intent);
- A malicious app can send the same Intent programmatically:
C. Post-Exploitation Impact
- Session Hijacking:
- If
auth_tokenis stored in SharedPreferences, an attacker can impersonate the user.
- If
- Ad Fraud:
- Modify
ad_idorshow_adsflags to disable ads or inject malicious ads.
- Modify
- Privilege Escalation:
- If the app has additional permissions (e.g.,
READ_CONTACTS), tampering with SharedPreferences could bypass security checks.
- If the app has additional permissions (e.g.,
- Persistence:
- Since SharedPreferences persist across app restarts, the malicious changes remain active until the app is reinstalled.
D. Forensic Artifacts
- Modified SharedPreferences Files:
- Location:
/data/data/story.saver.downloader/shared_prefs/ - Example:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="auth_token">hacked_token_123</string> <boolean name="is_premium_user" value="true" /> </map>
- Location:
- Logcat Traces:
- Search for Intent-based activity launches:
adb logcat | grep "ActivityManager: START"
- Search for Intent-based activity launches:
- Network Traffic:
- If the app syncs SharedPreferences with a backend, monitor for unexpected API calls with tampered data.
Conclusion & Recommendations
Key Takeaways
- CVE-2023-29747 is a critical vulnerability due to its low exploitation complexity and high impact.
- Exposed components in Android apps remain a common attack vector, often leading to data tampering, session hijacking, and ad fraud.
- Developers must audit their apps for exported components, insecure SharedPreferences usage, and improper IPC mechanisms.
- Users should avoid untrusted apps and keep software updated to mitigate such risks.
Actionable Steps for Security Teams
- Patch Management:
- Ensure all mobile apps in the enterprise are updated to the latest secure versions.
- Threat Hunting:
- Monitor for anomalous Intent-based IPC traffic and unexpected SharedPreference modifications.
- Secure Development Training:
- Train developers on secure Android coding practices, including:
- Proper component export settings.
- Secure storage of sensitive data (e.g., Android Keystore, EncryptedSharedPreferences).
- Train developers on secure Android coding practices, including:
- Red Team Exercises:
- Simulate Intent-based attacks to test app resilience.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | High | Public PoC available; low skill required. |
| Impact | Critical | Can lead to session hijacking, ad fraud, or privilege escalation. |
| Likelihood of Exploitation | High | Mass exploitation likely due to PoC availability. |
| Mitigation Feasibility | Medium | Requires app update; users must uninstall vulnerable version. |
Overall Risk: Critical (9.8/10) – Immediate action required.
References:
References
cve@mitre.org
https://www.instagram.com/nihans_macrame/af854a3a-2127-422b-91ae-364da2661108
https://apksos.com/app/story.saver.downloader.photo.video.repost.byrkaf854a3a-2127-422b-91ae-364da2661108
https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29747/CVE%20detail.mdaf854a3a-2127-422b-91ae-364da2661108
https://www.instagram.com/nihans_macrame/