Tag: android vulnerability

Posted on

Instagram vulnerability : Turn off all type of message requests using deeplink (Android)

Instagram Android

Instagram vulnerability description:
In the Instagram for android has messaging tool, users can change message controls to decide whether they want to receive messages from potential connections or other people from Facebook and Instagram.

Instagram’s Android app has implemented a deeplink “instagram://turn_off_message_requests” that can turn off all requests so the user won’t receive messages from anybody, and this deeplink executes headlessly so there is no UI after execution of the deeplink.

Thus, a malicious or rogue app could execute a turn-off message request deeplink without any permission, like “FB_APP_COMMUNICATION” and Attacker could have able to disabled all receiving messages of Instagram user.

Instagram vulnerability

Repro steps :

Instagram android app version: 258.1.0.26.100

1. Goto Instagram for Android > Messages > Tools > Message controls

2. Set “deliver requests to” to “message requests”

3. Close Instagram app

4. Launch “instagram://turn_off_message_requests” deeplink (without quotes)

5. Open Instagram app and goto message controls, you can see all option become “Don’t receive”.

POC:

Timeline:

29/10/2022: Report submitted.

02/11/2022: Triaged

09/11/2022: Bounty

20/12/2022: Fixed

Follow me on Twitter :
https://twitter.com/RahulKankrale

Posted on

Facebook android vulnerability: Launching internal/tighten deeplink onbehalf of user

In Facebook android, Ad creation deeplink “ads_lwi_coupon_interstitial” has the parameter “landing_page” and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.

Vulnerable deeplink:

fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=&landing_page=fbinternal://rninternalsettings&entry_point=home

Mobile app version: 342.0.0.37.119

Reproduction steps:

  1. Create intent using third party app or html page with deeplink “fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home”
  2. Launch deeplink/app
  3. Click on “Get Started”
  4. It will open internal settings.

Proof of concept:

Timeline:

31/10/2021: Reported
03/11/2021: Triaged
06/12/2021: Fixed
02/02/2022: Reward $3000 + $225 (Silver Bonus) + $300 (delay bonus)

Posted on

Bypass Samsung Knox protection to read files stored in a secure folder | Android

20201230 093332

Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.

I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward.

Severity: High | SVE-2020-18025
Continue reading “Bypass Samsung Knox protection to read files stored in a secure folder | Android”
Posted on

Xiaomi Android : Harvest private/system files (Updated POC)

Whatsapp Copy 3

Yet another android vulnerability which I found on Xiaomi: giant mobile manufacturer company.

Summary: There inbuilt SMS is an application pre-installed on those devices. The application is built with feature which sync in to cloud using webview through application’s sandbox. 
This application can also be launched from the browser and have its WebView directed to load an arbitrary URL and allow access to local file system, read local resources and access network resources.

Continue reading “Xiaomi Android : Harvest private/system files (Updated POC)”