Xodo PDF Reader & Editor

XODO has identified a vulnerability in com.xodo.pdf.reader.pdf viewer v1.0. The XML parsing of values passed to certain Intent extras allows an attacker to gain additional permissions on the device without requesting them. This is not an issue with XODO's code. But instead with how PDF View does not sanitize user input before passing it onto the relevant APIs, allowing for any permission listed in android:permission=" android.permission.BIND_DEVICE_ADMIN" within an application's manifest to be granted without any user consent via vulnerability utilizing android: permission. An example of an app using com.xodo.pdf.reader.pdf viewer would be the "Bluelight Filter for Eye Care" app which, according to Google Play Store listings, has been installed between 1 million and 5 million times.

XODO also identified that the "Bluelight Filter for Eye Care" app developer was using an outdated version of com.xodo.pdf.reader.pdf viewer, so this vulnerability has been patched in later versions, which are available on Google Play Store.

Vulnerability Information: Due to com's parsing of Intent extras within PDF View, an attacker can add specific permissions to a victim's Android Device without requiring any user interaction or consent, therefore potentially compromising sensitive data and privacy. To fix this, Ensure that all Intent extras which accept the android: permission attribute only use the pre-defined list of system-defined Android Permissions within the Android API Reference. XODO would like to thank Google for their assistance with this issue via their Bug Bounty program listed at https://www.bugcrowd.com/google.