Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver kr.co.bluebird.android.bbsettings.BootReceiver. A local attacker can call the receiver to overwrite file containing .json keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file.
This issue affects all versions before 1.3.3.
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
The attacks and consequences of improperly exporting a component may depend on the exported component: