Get in touch

Frame Preview "com.framer.viewer.FramerViewActivity" Arbitrary URL Loading

Sep 22, 2020 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Framer Preview
  • Vendor URL: https://www.framer.com/
  • Type: Improper Export of Android Application Components [CWE-926]
  • Date found: 2020-09-06
  • Date published: 2020-09-22
  • CVSSv3 Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
  • CVE: CVE-2020-25203

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Framer Preview 12

INTRODUCTION

Framer Preview is the best way to view and interact with your Framer X and Framer Classic projects on Android phones and tablets.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The “Framer Preview” app for Android exposes an activity to other apps called “com.framer.viewer.FramerViewActivity”. The purpose of this activity is to show contents of a given URL via an fullscreen overlay to the app user.

However, the app does neither enforce any authorization schema on the activity nor does it validate the given URL.

This can be abused by an attacker (malicious app) to load any website/web content into the fullscreen overlay. An exemplary exploit could look like the following:

Intent i = new Intent();
i.setComponent(new ComponentName("com.framerjs.android", "com.framer.viewer.FramerViewActivity"));
i.setAction("android.intent.action.VIEW");
i.setData(Uri.parse("https://www.rcesecurity.com"));
startActivity(i);

RISK

A malicious app on the same device is able to exploit this vulnerability to lead the user to any webpage/content. The specific problem here is the assumed trust boundary between the user having the Framer Preview app installed and what the app is actually doing/displaying to the user. So if the user sees the app being loaded and automatically loading another page, it can be assumed that the loaded page is also trusted by the user.

SOLUTION

None

REPORT TIMELINE

  • 2020-09-06: Discovery of the vulnerability
  • 2020-09-06: CVE requested from MITRE
  • 2020-09-07: Contacted vendor via their security@, no response
  • 2020-09-08: MITRE assigns CVE-2020-25203
  • 2020-09-09: Informed vendor about the CVE assignment, no response
  • 2020-09-22: Public disclosure due to unresponsive vendor

REFERENCES

None