lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAG8guZ3D-S1SLo+5p0QyY0YUfte5KYhTxAuUyidey+wH9c+ZZg@mail.gmail.com>
Date: Mon, 29 Dec 2025 21:09:00 +0000
From: duykham <duykham@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Security Vulnerability in Koller Secret: Real Hidden App
	(com.koller.secret.hidemyphoto)

Hello Full Disclosure,

I would like to disclose a security vulnerability identified in a
smartphone application: *Koller Secret: Real Hidden App*.

This report is shared in the interest of responsible disclosure and
improving overall security awareness.

---

*Summary*
- Application: Koller Secret: Real Hidden App
- Package / Bundle ID: com.koller.secret.hidemyphoto
- Platform: Android
- Affected Version(s): v.1.0.27 and below
- Vulnerability Type: Authentication Bypass
- Severity: High
- CVE: Pending

---

*Background*
Koller Secret claims to be the "first truly hidden app" that has "no
visible icon nor launcher" and *can be accessed only by entering an Android
secret code* from the user's dial pad.

---

*Description*
The application contains a vulnerability that allows an attacker to *bypass
their secret code mechanism* to access the app's main UI.

The root cause appears to be improper access control on an exported Android
component. The MainActivity is explicitly declared as
`android:exported="true"` in the Android manifest, making it accessible to
external applications and enabling unauthorized activity invocation.

---

*Technical Details*
- Relevant components:
   - MainActivity / Android Manifest
- Security mechanism affected:
   - Access control

*Observed behavior:*
It was observed that the application's MainActivity can be launched
externally via ADB by explicitly invoking it with the expected intent
action (ACTION_LAUNCH). When started in this manner, the application
bypasses the intended secret code verification mechanism and proceeds
directly to the protected interface.

*Expected behavior:*
The application should reject any attempts to launch the protected main
interface from external sources, including ADB or other applications.
Access to the protected interface should only be granted through the
official application flow, which requires successful secret code entry via
the dial pad. All other invocation attempts should be denied.

---

*Proof of Concept (PoC)*
1. Install "Koller Secret: Real Hidden App" version 1.0.27 (or earlier) to
an Android smartphone.
2. Connect the smartphone to a desktop machine (e.g., via a USB cable) that
supports Android Debug Bridge (ADB).
3. Launch a command line terminal (or Command Prompt in Windows OS)
4. Run the command:

> adb shell am start -n com.koller.secret.hidemyphoto/.MainActivity -a
com.koller.secret.hidemyphoto.ACTION_LAUNCH

5. Observe that:
- The main UI of Koller Secret app is loaded on the smartphone.
- No secret code entry is required.

**Important note**:
The Koller Secret Pro app (with more "advanced security features") is also
affected by the vulnerability, when no lockscreen protection is enabled.

---

*Impact*
An attacker exploiting this vulnerability could potentially:
- access sensitive user data
- bypass security controls
- compromise application integrity

Successful exploitation of this issue undermine the application's intended
security model, potentially allowing unauthorized access to sensitive user
data and negatively impacting user trust in the application.

---

*Disclosure Timeline*
- 2025.11.21 – Vulnerability discovered
- 2025.11.25 – Vendor contacted
- 2025.11.29 – Vendor acknowledged
- 2025.12.29 – Public disclosure

The vendor was given reasonable time to respond prior to this disclosure.
No malicious exploitation is known at the time of publication.

---

*Mitigation / Recommendation*
To mitigate this issue, the affected activity should not be exported unless
explicitly required. Setting android:exported="false" for the MainActivity
would prevent external invocation via ADB or third-party applications.

If exporting the activity is necessary, the application should enforce
strict access control by validating authorization state at runtime and
ensuring that the secret code verification has been successfully completed
before granting access to protected functionality.

Users are advised to update to a fixed version once available.

---

Discovered and reported by:
duykham

---

*References*
- Install:
https://play.google.com/store/apps/details?id=com.koller.secret.hidemyphoto
- Install (Pro):
https://play.google.com/store/apps/details?id=com.koller.secret.hidemyphoto.pro
- Vendor: https://www.iotrusted.com

---

If additional information is required, I can be reached privately.

Regards,
duykham
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ