Skip to content

Reading Contact Photos Without READ_CONTACTS A Google Messag...#2462

Open
carlospolop wants to merge 1 commit into
masterfrom
update_Reading_Contact_Photos_Without_READ_CONTACTS_A_G_b97f1b5b55e29e4a
Open

Reading Contact Photos Without READ_CONTACTS A Google Messag...#2462
carlospolop wants to merge 1 commit into
masterfrom
update_Reading_Contact_Photos_Without_READ_CONTACTS_A_G_b97f1b5b55e29e4a

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

This blog post describes a fixed Google Messages for Android vulnerability in AvatarContentProvider that allowed an installed attacker-controlled app with no Contacts permissions to read protected Android Contacts photos. The issue is a classic confused deputy: Google Messages, which had access to Contacts in the tested environment, dereferenced an attacker-supplied Contacts photo URI using its own UID, rendered the protected image as PNG, and returned the resulting...

🔧 Technical Details

Confused deputy via exported Android ContentProvider: If an exported provider accepts an attacker-controlled content:// URI and dereferences it with the provider app's own permissions, a lower-privileged app can cause a higher-privileged app to access protected data on its behalf. The generic exploitation pattern is to identify an exported provider with no caller permission, find a parameter that accepts a backend URI, supply a URI protected by another app's permission model, and read the provider's transformed response.

Permission bypass through image rendering or transcoding: A provider does not need to return the original protected file byte-for-byte to leak data. If it loads protected content, decodes it as a bitmap, resizes it, renders it, caches it, or transcodes it into another image format, the transformed output is still a disclosure of the protected source. In this case, Google Messages returned image/png th...

🤖 Agent Actions

Non-final status update:

  • Confirmed the repo still has a single modified file:
    • src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
  • Performed one small cleanup edit:
    • removed extra trailing blank lines at the end of the file
  • Re-validated:
    • git diff --check is clean
    • file still ends with the expected HackTricks training banner include
    • exactly one trailing newline remains after the banner

I am still not providing the final report yet.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://blog.devploit.dev/posts/google-messages-avatarcontentprovider-contacts-bypass

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Applications Pentesting > content:// protocol / Exploiting Content Providers".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant