CWE-925Improper Verification of Intent by Broadcast Receiver

PUBLISHEDweakness record
released 2013-07-17 · last modified 2026-04-30

Metadata

CWE ID:
CWE-925
摘要:
Variant
结构:
Simple
状态:
Incomplete
发布日期:
2013-07-17
更新日期:
2026-04-30

名称

Improper Verification of Intent by Broadcast Receiver

描述

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.

常见后果

范围:
Integrity
影响:
Gain Privileges or Assume Identity
注释:
Another application can impersonate the operating system and cause the software to perform an unintended action.

相关 CWE