Today I took a quick look at adding support for importing FreeOTP 2 backup files to Aegis. To my surprise, the backup file starts with:
��srjava.util.HashMap��
I didn't spend any time trying to find a gadget chain to exploit this. Perhaps there is none. But I'd like to not have to worry about a maliciously crafted FreeOTP backup file potentially executing arbitrary code in the context of Aegis' app process.
I'd like to suggest revising the backup format to not consist of serialized Java objects, but to use something like JSON instead.
Today I took a quick look at adding support for importing FreeOTP 2 backup files to Aegis. To my surprise, the backup file starts with:
I didn't spend any time trying to find a gadget chain to exploit this. Perhaps there is none. But I'd like to not have to worry about a maliciously crafted FreeOTP backup file potentially executing arbitrary code in the context of Aegis' app process.
I'd like to suggest revising the backup format to not consist of serialized Java objects, but to use something like JSON instead.