CVE-2023-33293 in KaiOS
Summary
by MITRE • 05/22/2023
An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/04/2026
The vulnerability identified as CVE-2023-33293 represents a significant information disclosure weakness within the KaiOS operating system version 3.0 and 3.1. This issue stems from the improper exposure of the api-daemon binary which functions as a local web server running on localhost addresses. The service operates with a unique architecture that creates subdomain mappings for each installed application, effectively exposing application-specific endpoints under the pattern myapp.localhost where myapp corresponds to the actual application name. This architectural design, while intended to facilitate application communication, creates an unintended attack surface that reveals sensitive application metadata to unauthorized parties.
The technical flaw manifests through the api-daemon's lack of proper access controls and authentication mechanisms when serving requests from local network interfaces. The web server listens on localhost addresses and automatically creates subdomains for every application installed on the device, creating a systematic enumeration of the application landscape. When an attacker makes fetch requests to the api-daemon service, they can systematically probe for available applications and retrieve their manifest.webmanifest files, which contain detailed metadata about each application including version information, application names, and other identifying characteristics. This represents a direct violation of the principle of least privilege and demonstrates poor separation of concerns within the system architecture.
The operational impact of this vulnerability extends beyond simple information gathering, as the disclosed manifest.webmanifest contents provide attackers with comprehensive application inventory data that can be leveraged for subsequent exploitation attempts. The application version information disclosed through this vulnerability can be used to identify known security weaknesses specific to those versions, enabling targeted attacks against known vulnerabilities in particular application releases. This information disclosure creates a reconnaissance foundation for attackers to plan more sophisticated attacks against the device or its applications, potentially leading to privilege escalation, data theft, or other malicious activities. The vulnerability particularly affects the confidentiality aspect of the CIA triad, as it allows unauthorized disclosure of application metadata that should remain private to the system's legitimate users and processes.
Security professionals should consider this vulnerability in the context of CWE-200, which addresses information exposure, and potentially CWE-352, which covers cross-site request forgery issues. The attack pattern aligns with techniques described in the MITRE ATT&CK framework under T1082 for system information discovery and T1592 for reconnaissance. The recommended mitigations include implementing proper access controls on the api-daemon service, restricting the exposure of application-specific endpoints to only authorized processes, and ensuring that manifest files are not accessible through the local web server interface. Additionally, the system should be updated to remove or disable the automatic subdomain creation feature, and network segmentation should be implemented to prevent unauthorized local network access to the api-daemon service. Organizations should also consider implementing application whitelisting and monitoring for unusual access patterns to the api-daemon service to detect potential exploitation attempts.