CWE-925: Improper Verification of Intent by Broadcast Receiver

VariantIncomplete

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

View on MITRE

Back to CWE Lookup

Extended Description

Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.

Technical Details

Structure: Simple

Applicable To

Languages

Not Language-Specific

Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-925

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references