In this post, we’ll dive deep into CVE-2018-9379—a lesser-known but important Android security vulnerability. This issue affected the Android platform through the MiniThumbFile.java source, leading to a situation where apps could potentially view thumbnails of photos even after those photos had been deleted. This happened because of a security flaw called a “confused deputy.” Let’s explore what this means, see code that exposes the problem, and understand what could happen if the bug is exploited.
What Is CVE-2018-9379?
Basically, on affected devices, deleting a photo didn’t guarantee its thumbnail was gone, and apps on the device—with minimal privileges—could access and view those leftover thumbnail images. The “confused deputy” problem means the system service that was supposed to protect files (like photo thumbnails) could be tricked (unintentionally) into leaking them.
Attackers don’t need special permissions. There’s no need for user interaction. All an app had to do was ask the system for thumbnails, and sometimes, it’d get them—even for already deleted photos.
Where Does the Problem Live?
The affected code is in Android’s AOSP repository, specifically in the file called MiniThumbFile.java in the frameworks/base/media/java/android/media path.
This component is responsible for managing miniature thumbnail files for media data such as photos. When the actual photo is deleted, the associated thumbnail file can linger on disk, and checks for permissions or deletion may not be robust enough.
Code Snippet
Here’s a simplified code snippet (based on public info and AOSP history) that shows how a thumbnail is fetched. Notice there are no strict checks to see if the original file is still available or if the caller should see the thumbnail:
public synchronized byte[] getMiniThumbFromFile(long id, byte[] data) {
// Tries to find the thumbnail file associated with an image
File thumbFile = getThumbFile(id);
if (thumbFile != null && thumbFile.exists()) {
try (RandomAccessFile file = new RandomAccessFile(thumbFile, "r")) {
byte[] buffer = new byte[(int)file.length()];
file.readFully(buffer);
return buffer; // Returns thumbnail data
} catch (IOException ex) {
// Handle error
}
}
return null;
}
Malicious app installed: An attacker releases a seemingly innocent app (like a wallpaper app).
2. App requests thumbnails: Using standard Android APIs, the app queries the device for image thumbnails—even for past/deleted images.
3. Access to deleted content: The app receives thumbnails of images the user already deleted, potentially exposing private material.
4. No permissions needed: The app doesn’t require special photo access permissions. Thumbnails are delivered via service functions.
Sample Exploit Workflow
When an app wants to get image thumbnails, it typically queries through a content provider or direct code, like so:
Cursor cursor = context.getContentResolver().query(MediaStore.Images.Thumbnails.EXTERNAL_CONTENT_URI,
null,
null,
null,
null
);
if (cursor != null) {
while (cursor.moveToNext()) {
String thumbPath = cursor.getString(cursor.getColumnIndex(MediaStore.Images.Thumbnails.DATA));
// The app can now read the thumbnail file, even for deleted images
}
cursor.close();
}
Apps might get access to thumbnails referencing deleted photos, giving a basic but real privacy leak.
Who’s at Risk?
- Android users: Specifically those on Android versions prior to the patch in AOSP (see references below).
- Devices using vulnerable AOSP code: Not all manufacturers patch quickly, so custom ROMs or older devices are especially at risk.
Mitigation
- Update your device: If a patch is available, apply it. Starting with the November 2018 Security Patch, this issue was closed.
- Be wary of unfamiliar apps: Only install trusted apps, as this issue illustrates how little privilege is sometimes enough for sensitive leaks.
- Delete sensitive data with caution: Note that deleting a file might not remove all traces until the OS is patched.
References
- Google Android Security Bulletin: November 2018
- AOSP Commit Closing the Issue (Search for MiniThumbFile.java fix)
- CVE-2018-9379 at NVD
- MiniThumbFile.java (AOSP source)
Final Thoughts
CVE-2018-9379 is a great example of how “deleted” doesn't always mean “gone,” especially in the digital world. Seemingly throwaway leftovers—like thumbnail files—can pose a real threat to user privacy. Always keep your device updated, and never underestimate the power of small leaks; a thumbnail might still betray your secrets.
Timeline
Published on: 01/17/2025 23:15:11 UTC
Last modified on: 03/13/2025 20:15:13 UTC