CVE CyberSecurity Database News

CVE-2023-40138 - How A Bug in FillUi.java Can Leak Your Private Images on Android Devices

Poster -

A serious security vulnerability, CVE-2023-40138, was discovered in the Android Open Source Project (AOSP), specifically in the FillUi class (FillUi.java). In simple terms, this issue allows a local attacker (someone who can run apps on your device) to view another user’s images without any special permissions or your involvement. This vulnerability is especially dangerous because it doesn't require user interaction, and it could result in your private images being leaked to other users or apps on the same device.

In this post, we’ll break down what happened, show you relevant code snippets, explain how the exploit works, and link to trusted references so you can learn more.

1. What is a “Confused Deputy” Vulnerability?

Before we dive into the code, it's helpful to understand the problem. The “confused deputy” problem happens when a program (the deputy) that has access to certain resources is tricked into misusing its authority on behalf of another, less-privileged entity.

In CVE-2023-40138, some Android system code in FillUi.java is doing just that: it lets an app piggyback off system privileges to access an image it should not see.

Let’s take a look at a simplified code snippet from FillUi.java

// FillUi.java simplified code snippet
if (icon.getUri() != null) {
    imageView.setImageURI(icon.getUri());
}

At first glance, this looks harmless: When an icon has a URI, it loads it into an image view. But here’s the problem: the code doesn’t perform any permission checks when loading the image URI. This means if a malicious app finds a URI that points to another user’s image, it can trick FillUi to load and display that image using system-level privileges, bypassing normal permission rules.

3. What’s the Impact?

- Local information disclosure: An app on the same device can obtain images from another user profile without being granted any permissions.
- No user interaction required: You don’t need to click, tap, or authorize anything. If you’re using a shared device (for example, with “Guest” or “Work” profiles), your images might be exposed to other profiles.

4. How Can an Attacker Exploit This? (Demo Flow)

Step 1: Attacker creates a malicious app and installs it on an Android device with multiple user profiles.

Step 2: The attacker’s app guesses or discovers a content URI for an image in another user’s profile or a protected app.

Step 3: The malicious app interacts with the Autofill service (which uses FillUi), feeding it a fake Autofill dataset with the crafted image URI.

Step 4: The Autofill system (running as a privileged “deputy”) loads the provided URI through the vulnerable code in FillUi.java, displaying the protected image inside the autofill suggestion UI.

Step 5: The malicious app can now read, capture, or save the image contents — all without the victim knowing.

5. How Is It Fixed?

The fix involves checking permissions before loading URIs, ensuring the image view can only access images that the requesting user/app is allowed to see.

Google’s patch refines permission checks before setImageURI is called. Here’s a pseudo-code of the fix:

if (icon.getUri() != null && userHasPermission(icon.getUri())) {
    imageView.setImageURI(icon.getUri());
} else {
    imageView.setImageResource(R.drawable.default_icon);
}

Reported by: Google’s Android Security Team.

- Patched in: Android Security Bulletin September 2023 (link below).

7. References and Further Reading

- Android Security Bulletin – September 2023
- Google Issue Tracker (bug report) – May require Google account for access.
- CVE-2023-40138 (MITRE)
- Android AOSP Commit (example fix ref)

8. What Should You Do?

- Update your device: Make sure your Android device is running security patches from September 2023 or later.

Don’t install suspicious apps: Especially if you use multiple profiles.

- Enterprises: If you use Android for Work or have shared devices: Ensure employees are updated and follow device management best practices.

9. Conclusion

CVE-2023-40138 is a powerful example of why privilege management and permission enforcement are critical, even in simple UI code. A small bug in FillUi.java opened the door for private images to be leaked between users. If you haven’t updated your device since September 2023, you should patch now to stay safe.

Have further questions or want to know if your device is affected? Check the Android Security Bulletin or contact your device manufacturer. Stay safe!

Timeline

Published on: 10/27/2023 21:15:09 UTC
Last modified on: 10/30/2023 17:16:08 UTC