The BitsLab "Web3 Escort Program" security team discovered and assisted in fixing an arbitrary account takeover vulnerability in the Android App.

On May 21, the security team in the 'Web3 Escort Program' initiated by BitsLab discovered an arbitrary account takeover vulnerability in the Android App of a well-known meme trading platform and assisted it in completing the fix. Through the audit of the APP, it was found that it used a third-party browser component, which had an Intent Redirection vulnerability in the onCreate method, and due to the improper configuration of the APP FileProvider, it could use the system vulnerability to read any sandbox file of the APP. Attackers can use this attack chain to read sensitive files containing user tokens in the Android app of the well-known meme trading platform, so as to take over the user's account, and further exploit it to directly harm the user's assets, which is very serious.

The BitsLab security team, after incorporating the vulnerability into the "Web3 Escort Program", conducted a comprehensive technical analysis, detailing the causes of the vulnerability and the methods of attack. They proposed precise remediation measures, which effectively helped the trading platform avoid risks of information leakage and user asset loss, significantly enhancing the privacy and security of the trading platform's Android App. At the same time, it is also recommended that all project parties check whether there are any improper File Provider configurations in their respective Android Apps.

This discovery and assistance in fixing high-quality vulnerabilities in the well-known Meme trading platform's Android App further highlights the outstanding contributions of the BitsLab team and the 'Web3 Escort Program' to the security of global blockchain assets.