For the longest time, ES File Explorer was the de facto file manager on Android. As time has gone on, however, it’s proven to be less trustworthy. A recent vulnerability reminds us why there are better choices now.
As reported by Android Police, there’s a new vulnerability in ES that exposes your files to anyone on the same network—you only need to open the app once. This bug was found by researching Elliot Alderson, who posted about it on Twitter.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
Apparently, ES leaves port 59777 open on your phone after it’s launched, giving anyone on the same network access to the file structure and beyond. An attacker can use that open port to inject a JSON payload, then get access to—and download—all of your info.
The upside is that the ES team knows about the issue and says it’s been fixed, with an update incoming:
We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review.
Still, given ES’ rocky history, this is just another opportunity to remind everyone there are better options out there. If you insist on using ES, I would at least suggestion steering clear of it until the update that fixes this bug is available in the Play Store.
via Android Police