Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06329e5f authored by Carlos Valdivia's avatar Carlos Valdivia
Browse files

[Security] Prevent malicious notifications from AMS. 

There was a hole in the getAuthToken logic that allowed notifications
resulting from getAuthToken requests using notifyOnAuthFailure=true to
launch arbitrary activites on the device. This is because the
getAuthToken session overrode onResult (unlike addAccount, updateCreds,
or confirmCreds).

Bug: 13787929
Change-Id: Ife1d48835f48416c2f0690f1413a076b69215190
parent dce92891

services/core/java/com/android/server/accounts/AccountManagerService.java

+16 −2
Original line number Diff line number Diff line
@@ -2237,8 +2237,13 @@ public class AccountManagerService 
                }

            }



            new Session(accounts, response, account.type, expectActivityLaunch,

                    false /* stripAuthTokenFromResult */, account.name,

            new Session(

                    accounts,

                    response,

                    account.type,

                    expectActivityLaunch,

                    false /* stripAuthTokenFromResult */,

                    account.name,

                    false /* authDetailsRequired */) {

                @Override

                protected String toDebugString(long now) {
@@ -2310,6 +2315,15 @@ public class AccountManagerService 


                        Intent intent = result.getParcelable(AccountManager.KEY_INTENT);

                        if (intent != null && notifyOnAuthFailure && !customTokens) {

                            /*

                             * Make sure that the supplied intent is owned by the authenticator

                             * giving it to the system. Otherwise a malicious authenticator could

                             * have users launching arbitrary activities by tricking users to

                             * interact with malicious notifications.

                             */

                            checkKeyIntent(

                                    Binder.getCallingUid(),

                                    intent);

                            doNotification(mAccounts,

                                    account, result.getString(AccountManager.KEY_AUTH_FAILED_MESSAGE),

                                    intent, accounts.userId);