CVE-2023-33293

Name of the Vulnerable Software and Affected Versions KaiOS versions 3.0 through 3.1

Description An issue was discovered in the binary /system/kaios/api-daemon, which exposes a local web server on *.localhost with subdomains for each installed application. For example, myapp.localhost. An attacker can make fetch requests to api-daemon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version.

Recommendations For KaiOS versions 3.0 and 3.1, consider restricting access to the api-daemon binary to minimize the risk of exploitation. As a temporary workaround, consider disabling the local web server exposed by the api-daemon binary until a patch is available. Avoid using the api-daemon to fetch sensitive information, such as the manifest.webmanifest contents, until the issue is resolved.