Update 1/18/19 @ 4:00PM CT: The developers of ES File Explorer have issued an update to their app that fixes the vulnerability.

ES File Explorer was once touted as the file explorer to beat before being bought out by Cheetah Mobile. The application quickly became inundated with advertisements, but those with premium versions of the application may have continued to use it. Even now, I know people who still use the free version of the application, citing the fact that it "just works." That's despite the fact that there are many alternatives that are also just better across the board. MiXplorer, FX File Explorer, and Solid Explorer, just to name a few. Now it turns out that anyone using ES File Explorer can have any file stolen from their device remotely by somebody on the same network. The vulnerability was reported by French security researcher Baptiste Robert, who goes by the online pseudonym "Elliot Alderson" - a reference to the protagonist of the TV show Mr. Robot.

The exploit (via TechCrunch) works by a port that is opened up on the device when ES File Explorer is opened. In essence, every time you launch the application, a web server is opened. Robert wrote a proof of concept Python script that can connect to a mobile device running the app, connect to it, and list files of a certain type. It can then download any of those files directly from your phone. It's a pretty serious vulnerability as it can allow anyone on the same network to download a file straight from your phone. It can even launch an app on your device too.

Thankfully, the developers of ES File Explorer gave a statement to AndroidPolice and it turns out that the vulnerability has already been fixed.

"We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review."

Once the update is out, we urge any users still using the application to update it immediately.


Update 1: Fix Rolling Out

Version 4.1.9.9 is now rolling out in the Play Store with a changelog that says "Fix http vulnerability in LAN." If you are on version v4.1.9.7.4 or below, check for an update.