Vendor: KaiOS Technologies Inc.
Vendor URL: https://www.kaiostech.com/
Versions affected: KaiOS 3.0, KaiOS 3.1
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-27108
The Communications application is vulnerable to information disclosure attacks.
An attacker can call the Web Activities API with the name
Promise that resolves to an array of data including phone numbers and timestamps. User interaction is not required.
Below is a photo of call logs exposed on the Nokia 2780 Flip browser running KaiOS 3.1 (Credit: github.com/sosumi1984).
Always use origin and/ or permission checks when returning sensitive data like call logs via Web Activities.
KaiOS allows applications to limit potential Web Activity callers to a pre-defined list of origins. Here is an example from the Launcher app, which exposed an activity,
"get-app", that returns a list of installed apps. It is only made accessible to the Voice Assistant app using the