Improper Access Control - Generic (CWE-284)CVSS 3.2Easy

Can download files on Android app without permission

hackerone-reports

March 5, 2026

17 views

Save

€235

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/2380133 by hakuna

Summary:

If the owner of a file - of type PDF, document, image or presentation - shares it with a user and disable download, the user can still download it using the Android app.

Steps To Reproduce:

As user1, in the "Files" app, create a folder containing files of different formats (PDF, .odt, .png, .odp...)
Share the folder to user2 and uncheck "Allow download" (repeat this step twice as unchecking the box doesn't apply the first time)
As user2, in the Android app, open: - a PDF: in the viewer click the top right menu, choose "Download as" and select "PDF document" or "PDF document as...". You receive a "Download completed" notification and can open and save the file on your phone. - a .odp: same as above

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy