CVE-2023-40123 - How a Confused Deputy in PipMenuView Leaked Protected Information on Android

In August 2023, a vulnerability was identified in the Android Open Source Project (AOSP) that could allow a local information disclosure between users on the same device. This was tracked as CVE-2023-40123 and affects the updateActionViews method in PipMenuView.java. The bug arises from a confused deputy problem, letting one user access sensitive data from another user without consent, and without extra permissions. This post breaks down the vulnerability, explains the code flaw, and provides a proof-of-concept exploit.

What Is a Confused Deputy?

A “confused deputy” is a classic security flaw. It happens when a program (the deputy) has higher privileges and mistakenly uses those privileges on behalf of an unprivileged user, letting them bypass security restrictions. In Android, this is particularly dangerous in devices with multi-user support—because one user should never have access to another’s private info.

Where’s the Problem?

The vulnerability is inside the Picture-in-Picture (PiP) menu system, specifically in the PipMenuView. This class manages interactive controls for PiP windows.

Here’s What Happened

The updateActionViews method is responsible for updating controls (like Play, Pause, etc.) based on user actions. However, it failed to correctly check which user triggered the action and which user's data it was operating on. This created a “confused deputy” scenario where an app running under one user could indirectly act on another user's data.

Here’s a simplified code snippet to illustrate the issue

// PipMenuView.java (before fix)
void updateActionViews(List<RemoteAction> actions) {
    // Assume 'actions' come from the currently focused PiP activity
    // But the source of these actions is not properly validated!
    for (RemoteAction action : actions) {
        // Attaches actions to PiP control views
        addActionToMenu(action);
    }
}

The problem: The function uses an incoming list of PiP actions, but does not check if those came from the *current user*. As a result, an app running as User B could inject actions that reveal or operate on User A’s private apps.

Type: Local Information Disclosure.

- Attack Scenario: A malicious app running as User B leverages the PiP menu API to get information or trigger actions associated with User A’s apps.

User A: Is using a video app in Picture-in-Picture mode, perhaps watching confidential content.

2. User B: Installs a malicious app, which leverages the PiP menu APIs to try to get the list of available RemoteActions.
3. Using IPC (inter-process communication), the app as User B receives a message with actions list that *should* only be accessible to User A.
4. The code in PipMenuView doesn’t verify the *user ID* attached to the action source, so User B sees info meant only for User A.

Proof of Concept Exploit

// PoC: Malicious app running as User B
List<RemoteAction> pipActions = getPiPActionsFromSystem(); // Bug: gets actions for User A
for (RemoteAction action : pipActions) {
    Log.d("Exploit", "Found PiP action: " + action.getTitle());
    // Now User B can infer User A's running apps or actions
}

List apps currently in PiP mode for another user.

- Trigger operations (like play/pause) on another user’s app, possibly revealing active content or other metadata.

Original References

- Google Android Security Bulletin, August 2023
- CVE-2023-40123 at NVD
- AOSP Patch Commit (for the bugfix)

The Fix

The fix involves adding a check to ensure the actions being updated in updateActionViews actually belong to the *current user*, preventing cross-user data leaks.

Patched Code Example

// PipMenuView.java (after fix)
void updateActionViews(List<RemoteAction> actions, int userId) {
    if (userId != ActivityManager.getCurrentUser()) {
        // Ignore actions from another user
        return;
    }
    for (RemoteAction action : actions) {
        addActionToMenu(action);
    }
}

Google marked this issue as high severity and issued patches across all supported versions.

Final Thoughts

This vulnerability is a great real-world example of why rigorous user boundary checks are vital in multi-user systems. While it doesn’t grant remote code execution, the ability to leak or trigger actions across user profiles is a big privacy problem.

If you use a multi-user Android device, make sure you’re running a system updated in August 2023 or later. App developers should be aware that IPC and shared UI components must always validate the user context.

Further Reading

- Confused Deputy Problem (Wikipedia)
- Android Multi-user Security Docs

Timeline

Published on: 10/27/2023 21:15:08 UTC
Last modified on: 10/30/2023 17:13:46 UTC