Vendor: KaiOS Technologies Inc.
Vendor URL: https://www.kaiostech.com/
Versions affected: KaiOS 3.0, KaiOS 3.1
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-27108
Risk: High
KaiOS is a mobile operating system based on Firefox OS. The operating system comes with a number of pre-installed "certified" applications including the Communications application, which exposes call log data via the Web Activities API. Firefox OS mobile applications are built using JavaScript and HTML.
The Communications application is vulnerable to information disclosure attacks.
/system/b2g/webapps/communications/
An attacker can call the Web Activities API with the name "getCallLogList" via JavaScript. The Communications app does not perform any permission checks on the caller, and as a result, call log data is exposed either via an installed app or web page accessed via the system Browser. This will return a Promise that resolves to an array of data including phone numbers and timestamps. User interaction is not required.
Below is a photo of call logs exposed on the Nokia 2780 Flip browser running KaiOS 3.1 (Credit: github.com/sosumi1984).
Always use origin and/ or permission checks when returning sensitive data like call logs via Web Activities.
KaiOS allows applications to limit potential Web Activity callers to a pre-defined list of origins.
Here is an example from the Launcher app, which exposed an activity, "get-app", that returns a list of installed apps. It is only made accessible to the Voice Assistant app using the "allowedOrigins" property.
"get-app": {
"returnValue": true,
"allowedOrigins": [
"http://kaios-voiceassistant.localhost"
]
}
KaiOS Version:
Call Logs: