CVE-2026-3668
Improper Access Control in Freedom Factory dGEN1 AndroidEthereum
Publication date: 2026-03-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freedom_factory | dgen1 | to 20260221 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the exposure of a sensitive Android JavaScriptInterface named "AndroidEthereum" within the Freedom Factory dGEN1 phone\'s ethOS PWA emulator application (package org.ethosmobile.webpwaemul). Detection involves identifying if the vulnerable application is present and if the JavaScriptInterface is exposed without origin validation.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to the WebView component exposing the interface globally, detection can include monitoring for the presence of the vulnerable package and checking if the AndroidEthereum interface is accessible from loaded web content.'}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect this vulnerability include:'}, {'type': 'list_item', 'content': 'Use Android Debug Bridge (adb) to check installed packages: `adb shell pm list packages | grep org.ethosmobile.webpwaemul`'}, {'type': 'list_item', 'content': 'Inspect the WebView usage and JavaScript interfaces in the app by reverse engineering or dynamic analysis tools such as JADX or Frida to confirm the presence of the addJavascriptInterface call exposing "AndroidEthereum".'}, {'type': 'list_item', 'content': 'Monitor network traffic or WebView content loading to detect if any websites or apps are invoking the exposed interface, for example by capturing WebView JavaScript calls or using instrumentation frameworks.'}, {'type': 'list_item', 'content': 'Use a proof-of-concept HTML page that calls `AndroidEthereum.getAddress()` to test if the wallet address can be retrieved silently when loaded inside the emulator.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on restricting or disabling the exposure of the AndroidEthereum JavaScriptInterface to untrusted content within the ethOS PWA emulator.
- Restrict the registration of the JavaScriptInterface to trusted origins only, preventing untrusted websites or apps from accessing it.
- Implement explicit wallet-connection approval dialogs that require user consent before exposing wallet address information.
- Enforce origin validation checks before responding to any wallet-related API calls to ensure only authorized content can access sensitive data.
- Avoid exposing sensitive wallet functions directly via addJavascriptInterface() to untrusted WebView content.
Since no vendor patch or official fix is currently available and the vendor has not responded, users should avoid opening untrusted websites or launcher apps inside the emulator to reduce risk.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3668 is an information disclosure vulnerability in the Freedom Factory dGEN1 phone's ethOS PWA emulator application, specifically in the AndroidEthereum function of the org.ethosmobile.webpwaemul component."}, {'type': 'paragraph', 'content': "The vulnerability arises because the AndroidEthereum JavaScriptInterface is exposed globally to all websites loaded within the emulator's WebView without validating the origin of these websites or requiring user consent."}, {'type': 'paragraph', 'content': "This allows any website or malicious launcher app opened inside the emulator to silently access the user's Ethereum wallet address without interaction or approval, violating standard decentralized application security models."}, {'type': 'paragraph', 'content': 'The root cause is the lack of access control and origin validation when exposing this sensitive interface, enabling unauthorized access to wallet address information.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of your Ethereum wallet address to any malicious website or app running inside the emulator.
- Silent retrieval of wallet address without user knowledge or consent.
- Enables wallet fingerprinting and tracking across applications.
- Increases risk of phishing attacks through malicious launcher apps pretending to be legitimate.
Although private keys and transaction signing are not exposed, the wallet address itself is sensitive as it can be used for financial profiling, transaction tracking, and deanonymization.
Exploitation requires the user to open an attacker-controlled website or fake app inside the emulator, but no additional permissions or elevated privileges are needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know