CVE CyberSecurity Database News

CVE-2023-40113 - Exploiting Missing Permission Checks to Access Cross-User Messages in Android

Poster -

In recent years, Android has worked hard to tighten permissions and keep user data secure. But even with these protections, sometimes small mistakes slip through. One such issue is CVE-2023-40113, a vulnerability that affects certain Android devices and puts your private messages at risk.

This post explains in simple terms how this vulnerability works, how it can be exploited, and what you can do about it. If you’re a developer or security enthusiast, you’ll find clear code examples and links to deep-dive resources.

What is CVE-2023-40113?

CVE-2023-40113 is a vulnerability found in Android, affecting certain versions (detailed in Android’s security bulletins, see references). In simple terms, the bug means that apps could access message data belonging to other users on the same device, even if they weren’t supposed to.

Normally, each user's data on Android is separated, and permission checks ensure that apps can't snoop on each other. This vulnerability was caused by missing permission checks in multiple locations of the Android system code. Because of that, a malicious app installed on the device could read other users’ messages without any special privileges or interaction from the user!

Where Did Things Go Wrong?

This issue was caused by a missing or insufficient check when certain app components handled message data requests. Specifically, the code responsible for managing messages failed to verify if the calling app had authority to access another user's information.

Here’s a simplified code snippet showing what SHOULD have happened

// Correct: Must check if calling UID matches the user
if (UserHandle.getCallingUserId() != UserHandle.myUserId()) {
    // Not same user, deny access!
    throw new SecurityException("Access not allowed across users");
}

But in the vulnerable versions, that check was missing or incomplete

// Vulnerable: No check for cross-user access!
public Cursor getMessages(...) {
    // direct access, user isolation missing
    return database.query(...);
}

This means that apps could ask for message data and get it, no questions asked (so long as they used some technical tricks to target other users’ data).

Let’s break down how a malicious app could abuse CVE-2023-40113

1. Malware App Installation: An attacker convinces a user to install a malicious app (no special permissions needed).
2. App Targets Content Providers: The app programmatically queries “ContentProvider” components responsible for messages (like SMS, IMs, or custom app messages).
3. Bypass User Checks: Since the check for cross-user access is missing, the app changes its query context or uses certain APIs to specify a different user—not the one running the malicious app.
4. Access Other Users’ Messages: The app receives raw message data belonging to someone else (e.g., your work profile, guest user, or other profiles on the device).

Simple Python Exploit Example (Using ADB for Demo Purposes)

Let’s demo how one might dump another user’s SMS database using ADB (for educational purposes only):

# List users on device (requires some access)
adb shell pm list users

# Switch context to user 10 and dump SMS DB
adb shell --user 10 cat /data/data/com.android.providers.telephony/databases/mmssms.db

With CVE-2023-40113, even if the access should be denied, it might succeed due to missing checks!

*Note: A real-world exploit would be implemented in a malicious app using Java/Kotlin, but this shows the concept.*

Who’s at Risk?

Devices running vulnerable Android versions (see Android’s Security Bulletin – Sept 2023) are at risk. Typically, this affects:

Tablets, shared devices

If you never use multiple users/profiles, you’re less at risk—but you should update your device anyway!

Google and Android partners patched the bug by adding robust permission checks

int callingUserId = UserHandle.getCallingUserId();
if (userId != callingUserId) {
    throw new SecurityException("No cross-user access allowed.");
}

This ensures that an app can't just request someone else’s data. If they do, access is denied.

- Android Security Bulletin – September 2023

https://source.android.com/docs/security/bulletin/2023-09-01

- CVE entry

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40113

- Android multi-user docs

https://developer.android.com/guide/topics/admin/multi-user

What Should You Do?

End users:
- Update your device! If your device maker has published a September 2023 (or later) security patch, install it.

App developers:

Never assume the system will “always” handle user isolation.

Security teams:

Conclusion

CVE-2023-40113 is a great reminder that even small missing checks can have big privacy consequences. It’s easy for even experienced developers to overlook these kinds of bugs, especially in complex, multi-user environments like Android.

Timeline

Published on: 02/15/2024 23:15:08 UTC
Last modified on: 11/06/2024 21:35:01 UTC