The popular ES File Explorer allegedly has an open port vulnerability that exposes Android device data

ES File Explorer, one of the popular file managing apps, has been exposed with a hidden web server running in the background, leaving the door open for anyone to easily access data on the device just with a simple script.

A French security researcher, Baptiste Robert with the online handle Elliot Alderson, found the exposed port last week. He also disclosed his findings in a tweet, yesterday, stating that, “The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.”

https://twitter.com/fs0c131y/status/1085460755313508352

ES File Explorer hasn’t responded to the allegations yet. The app has more than 500 million downloads on the Google Play Store. Robert said that the app versions 4.1.9.5.2 and below have the open port.

According to TechCrunch, “Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.”

The server running in the background can also use an HTTP protocol to stream videos to other apps. However, this opens up a portal for the hacker to hack every single information from the Android device.

This vulnerability can only affect those connected within the local network. Internet and WWW cannot be used to steal information via this exposed web-server. However, this is still a threat and an opportunity for the hacker present in the local network.

To know more about this news in detail, visit GitHub.

Here’s a short video demonstrating the vulnerability by Baptiste Robert.

https://www.youtube.com/watch?v=z6hfgnPNBRE