From intent extra to RCE: Argument injection in YTDLnis

YTDLnis is an open-source Android app designed for downloading video and audio from multiple platforms, featuring capabilities like format conversion and ad blocking within a modern interface. However, a critical vulnerability was discovered in the app's codebase, allowing attackers to execute arbitrary code on a victim's device when they click a malicious link. This Argument Injection flaw, affecting versions 1.8.4 and earlier, enables attackers to hijack the app's identity and permissions, gaining Full Storage Access to potentially read, modify, or delete files on the device. Additionally, attackers could exploit this vulnerability to take over user accounts on services accessed through YTDLnis, such as YouTube and Instagram, by extracting session cookies. The vulnerability was patched in version 1.8.4.1-beta by removing the COMMAND intent extra handling, thus mitigating the risk. Users are advised to update to the latest version to ensure their device's security. The incident highlights the inherent risks of handling untrusted external data within complex app setups and underscores the importance of timely security updates.