If you’ve been using Android for a while, you’ve probably used your fair share of file explorers. One of the best for a long time was ES File Explorer, but over the past few years, it’s turned into a buggy, ad-filled mess that’s basically unusable without the Pro upgrade. Now, it’s been revealed that the app has housed a security vulnerability for quite some time.
Nomad case for Pixel 3
Security researched Elliot Alderson recently revealed on Twitter that a flaw in the app makes your files vulnerable to theft if you’ve opened the app even one time. This isn’t overly serious, though, seeing as the attack can only occur on a local network. Still, with over 100 million downloads, this is something that ought to be fixed.
Alderson explains that this vulnerability occurs each time the app is opened. When launched, the app automatically opens up an HTTP server on port 59777. That might sound like gibberish to the average Joe, but to anyone with the proper knowledge, it’s very easy to exploit that to pull any files they want from your device. It’s generally a bad idea to be on a network with people you don’t know, but if you’re an ES File Explorer user, you might especially want to avoid it.
This flaw is present in every version of ES File Explorer up until version 18.104.22.168.4. The app’s developers, though, have contacted Android Police to note that they’ve already fixed the vulnerability and have rolled out the change via the Google Play Store. Version 22.214.171.124 seems to fix the problem and is available now.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
More on Android apps:
- Google Maps now showing speed limits in more US cities including NYC, LA
- Twitter bug on Android has exposed protected tweets over the last 4 years for some users
- Weather Timeline update adds ‘MyRadar’ data from new owners; removes Dark Sky, other sources