ES File Explorer is one of the most popular ways to manage storage on Android devices. Though there are inbuilt file managers in most modern Android phones (unlike before), the app is still preferred in most cases because of its various features.
However, the app is buggy and to add to users annoyance, the app keeps getting bloated functions that no one needs or ever asked for.
To make matters worse, latest findings from security researcher Elliot Alderson says the app exposes users data to theft by making it accessible to anyone that is on the same network with the device that has ES File Explorer installed.
According to Alderson, ES File Explorer launches an HTTP server on port 59777 which leaves the phone that ES File Explorer is installed exposed to anyone on the network.
The researcher explained that anyone with knowledge to exploit can use the port to inject a JSON payload.With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.— Elliot Alderson (@fs0c131y) January 16, 2019
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
"Technically, everytime a user is launching the app, a HTTP server is started," Alderson said. "This server is opening locally the port 59777. On this port, an attacker can send a JSON payload to the target."
In other words, anyone on the same network can access apps information, files - in fact, download your data without your knowledge of it.
"These commands allow an attacker connected on the same local network to the victim, to obtain a lot of juicy information (device info, app installed,...) about the victim's phone, remotely get a file from the victim's phone and remotely launch the app on the victim's phone," the open port report read.
ES File Explorer has over one hundred million downloads on the Google Play Store which isn't good news because the vulnerability affects all users of the app including those using the latest version which is available on the Google Play Store.
However, the good news is that the developers are aware and have acknowledged the presence of the vulnerability to Androidpolice.
"We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review," a spokesperson for ES File Explorer told Androidpolice.