[Update: Fix Rolling Out] ES File Explorer vulnerability allows an attacker on the same network to grab any file from your phone, but it’ll be fixed
ES File Explorer was once touted as the file explorer to beat before being bought out by Cheetah Mobile. The application quickly became inundated with advertisements, but those with premium versions of the application may have continued to use it. Even now, I know people who still use the free version of the application, citing the fact that it “just works.” That’s despite the fact that there are many alternatives that are also just better across the board. MiXplorer, FX File Explorer, and Solid Explorer, just to name a few. Now it turns out that anyone using ES File Explorer can have any file stolen from their device remotely by somebody on the same network. The vulnerability was reported by French security researcher Baptiste Robert, who goes by the online pseudonym “Elliot Alderson” – a reference to the protagonist of the TV show Mr. Robot.
With more than 100,000,000 downloads ES File Explorer is one of the most famous #Android file manager.
The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone https://t.co/Uv2ttQpUcN
— Elliot Alderson (@fs0c131y) January 16, 2019
The exploit (via TechCrunch) works by a port that is opened up on the device when ES File Explorer is opened. In essence, every time you launch the application, a web server is opened. Robert wrote a proof of concept Python script that can connect to a mobile device running the app, connect to it, and list files of a certain type. It can then download any of those files directly from your phone. It’s a pretty serious vulnerability as it can allow anyone on the same network to download a file straight from your phone. It can even launch an app on your device too.
Thankfully, the developers of ES File Explorer gave a statement to AndroidPolice and it turns out that the vulnerability has already been fixed.
“We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review.”
Once the update is out, we urge any users still using the application to update it immediately.
Update 1: Fix Rolling Out
Version 184.108.40.206 is now rolling out in the Play Store with a changelog that says “Fix http vulnerability in LAN.” If you are on version v220.127.116.11.4 or below, check for an update.