In the early days of Android, ES File Explorer was one of the better ways to manage your storage. That hasn't been true for a long time, though. Not only is the app rather cluttered and buggy, security researcher Elliot Alderson (@fs0c131y on Twitter) points out this app makes your files vulnerable to theft. All you have to do is open it once.
According to Alderson, ES File Explorer launches an HTTP server on port 59777. This leaves your phone wide open to anyone on the local network with enough knowledge to exploit it. An attacker can use that port to inject a JSON payload. They can get information about the apps and files you have, and then it's a simple matter to download your data over the network. I have no way of knowing this, but it seems like this may be related to the app's file sharing feature. See below for a video demo.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
ES File Explorer has north of 100 million downloads, so that could mean a lot of vulnerable devices out there. Thankfully, the attack only works over local networks. It's a good idea in general not to be on a network with untrusted people and devices, but this really drives the point home. Alderson says the vulnerability is in v188.8.131.52.4 and lower, and the Play Store page lists the same build. So, you aren't even safe on the latest version. There's no word from the developers yet, but ES File Explorer is still actively developed. Presumably, an update is forthcoming.
We reached out to the ES File Explorer devs to try and get their side of the story, or at least find out if steps were being taken to eliminate this vulnerability. Sure enough, the devs claim to be on top of this and have come up with a fix:
"We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review."
The most recent build in the Play Store is still the v184.108.40.206.4 one released this past Monday, so that review is apparently ongoing. Hopefully we'll see the fix land shortly.
While it was good to hear that a fix was in the works, we still had questions. And in particular, was the "http vulnerability" the devs mentioned the primary file-access one, or could it be focused on the MITM attack that also emerged as this story developed? Based on what they're telling us now, both of these glitches may have been resolved:
"The issue of unauthorized copying of files has been fixed by removing the corresponding code. The way a man-in-the-middle attack is avoided by the way the server upgrades."
We feel like something's getting a little lost in translation on that MITM bit, so we'll keep you posted if we learn anything else.
Finally, the updated ES File Explorer app has popped up on the Play Store (and at APK Mirror), and now at v220.127.116.11, informs users in its release notes that "Fix http vulnerability in LAN" has been checked off the to-do list.