ES File Explorer Update Brings HTTP Vulnerability Fix, Other Bug Fixes


  • ES File Explorer has quickly rolled out a fix for the HTTP vulnerability
  • Reported last week, vulnerability allowed easy phone access to hackers
  • ES File Explorer v4.1.9.9 update with the fix is available on Google Play

Just last week, an HTTP vulnerability was reported within ES File Explorer – a popular app used by many to manage phone storage. The vulnerability allegedly gave hackers easy access to phone’s files, and all the victim had to do was open the app once to be exposed to it. Developers of ES File Explorer were quick to respond to this newfound bug, and within days of the reported vulnerability, a fix for the same has been issued. The update ES File Explorer v4.1.9.9 version is now available on Google Play, and all users are recommended to download it.

The changelog for the ES File Explorer v4.1.9.9 update states that the HTTP vulnerability in LAN has been fixed, alongside some other known bug fixes as well. The new v4.1.9.9 update also fixes a problem “that the music player part could not create a song list”. A spokesperson also confirmed the fixes to Android Police, “The issue of unauthorised copying of files has been fixed by removing the corresponding code. The way a man-in-the-middle attack is avoided by the way the server upgrades.”

We recommend all users to update to the latest version of ES File Explorer. The update is available to download for free on the Play Store, and as we mentioned, comes within days of the vulnerability being reported. The company had reportedly issued a fix last week itself, and was waiting for the Google market to pass the review. The developers told Android Police, “We have fixed the http vulnerability issue and released it. Waiting for the Google market to pass the review.” And now finally the update with the fix is out for download.

According to security researcher who goes by the pseudonym Eliot Alderson, ES File Explorer used to start an HTTP server on port 59777, which left your phone accessible to anyone on the same local network to exploit it. The attacker can then use that port to inject a JSON payload and list out the files you have and even download them. If you happen to still use the app in in v4. and lower, then its best to update immediately, or connect only to highly trusted networks, or look for other alternatives.