Guidelines
Bug description
VoiceCallShare is an exported activity that reads a phone number out of a content:// URI and immediately places a call. It never checks which app the URI came from, so a malicious app can point Signal at its own content provider and have Signal call whatever number it wants.
File: app/src/main/java/org/thoughtcrime/securesms/webrtc/VoiceCallShare.java, around line 30.
To reproduce, another app on the device (with CALL_PHONE) fires an intent like:
Intent(ACTION_VIEW)
.setDataAndType(Uri.parse("content://evil.provider/x"),
"vnd.android.cursor.item/vnd.org.thoughtcrime.securesms.videocall")
Its provider returns any number in the data1 column, and Signal places the call from the user's account. The call UI does pop up so the user can hang up, but by then it has already rung the attacker's chosen number using the victim's identity.
One-line fix, before the query() call:
java
if (!ContactsContract.AUTHORITY.equals(getIntent().getData().getAuthority())) {
finish();
return;
}
Same bug pattern also exists in SystemContactsEntrypointActivity.java around line 78, but with lower impact — it pre-populates a compose window instead of starting a call. Worth fixing in the same patch.
Screenshots
No response
Device
No response
Android version
No response
Signal version
No response
Link to debug log
No response
Guidelines
Bug description
VoiceCallShare is an exported activity that reads a phone number out of a content:// URI and immediately places a call. It never checks which app the URI came from, so a malicious app can point Signal at its own content provider and have Signal call whatever number it wants.
File: app/src/main/java/org/thoughtcrime/securesms/webrtc/VoiceCallShare.java, around line 30.
To reproduce, another app on the device (with CALL_PHONE) fires an intent like:
Intent(ACTION_VIEW)
.setDataAndType(Uri.parse("content://evil.provider/x"),
"vnd.android.cursor.item/vnd.org.thoughtcrime.securesms.videocall")
Its provider returns any number in the data1 column, and Signal places the call from the user's account. The call UI does pop up so the user can hang up, but by then it has already rung the attacker's chosen number using the victim's identity.
One-line fix, before the query() call:
java
if (!ContactsContract.AUTHORITY.equals(getIntent().getData().getAuthority())) {
finish();
return;
}
Same bug pattern also exists in SystemContactsEntrypointActivity.java around line 78, but with lower impact — it pre-populates a compose window instead of starting a call. Worth fixing in the same patch.
Screenshots
No response
Device
No response
Android version
No response
Signal version
No response
Link to debug log
No response