📌 1. Reporting information

• Name: Team Brrester

🧩 2. Overview of Vulnerabilities

• Vulnerability title: Intent Redirection

• Date of discovery: 2025.05.20.

• Discovery Location (URL or System Path): com.mcu.reolink/com.android.bc.ForegroundLockActivity, com.mcu.reolink/com.android.bc.login.WelcomeActivity

• Vulnerability type (CWE ID): **CWE-940** - Improper Verification of Source of a Communication Channel CWE-926 - Improper Export of Android Application Components

• Vulnerability Description: Intent redirection vulnerabilities allow an attacker to partially or completely control the user-provided intent to execute new components in the context of a vulnerable app. This vulnerability may in particular allow unauthorized access to internal functions or access to non-public components.

🔍 3. Details

• Impacted Products/Services: Reolink App

• Product version: 4.54.0.4.20250526

• Vulnerable components: com.mcu.reolink/com.android.bc.ForegroundLockActivity, com.mcu.reolink/com.android.bc.login.WelcomeActivity

• Attack vector:

    protected void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(com.mcu.reolink.R.layout.foreground_lock_layout);
        ImmersiveEffectUtil.adjustNightMode(getWindow());
        this.bundle = getIntent().getExtras();
        findView();
        setListener();
    }

• When ForegroundLockActivity is first created, this.bundle= getIntent().getExtras(); getInttras from the code and put it into the bundle.
• After that, call findView() and setListener() to process Intent as imported Extras.