1. Vulnerable Package and Version

• Package: com.handcent.app.nextsms
• Version: 10.9.9.7.

2. Details of the Vulnerability

        <provider
            android:name="com.handcent.sms.ti.b"
            android:exported="true"
            android:authorities="com.handcent.messaging.provider.MessageProvider"/> 

• The exported attribute for this component is set to True, but no proper permission settings have been applied.
• This misconfiguration allows a non-authenticated application to access the data in content provider.
• By accessing the path content://com.handcent.messaging.provider.MessageProvider/, not only can the Message table be exposed, but also other tables used by the app could potentially be revealed as well.

3. PoC

We have developed an application that triggers this vulnerability and attached the APK file along with a demonstration vedeo. This PoC demonstrates how the attached application accesses the MessageProvider to leak phone numbers and message history.

The provided code defines two buttons, each triggering a specific query to access different tables from a database through a ContentResolver.

• The provided code defines two buttons, each triggering a specific query to access different tables from a database through a ContentResolver.
• When the first button is clicked, it executes a query that attempts to retrieve all data from the “phones” table.
• When the second button is clicked, it performs a similar query but targets the “words” table.