Shopping App Deeplink Arbitrary URLs

In this write-up, I’ll tell you how I was able to launch Arbitrary URLs to the internal web of the shopping application.

Due to the lack of URLs Sanitization that passes through activities, It’s possible to launch Arbitrary URLs to the internal web of the shopping application using a crafted website and malware applications. Also, I tried to bypass the host validation to launch Universal Cross-Site Scripting (UXSS) it seems looks not vulnerable to the attack since there’s another filter to the host.

In file com.redacted.android.maintab.MainTabActivity

As you can see above the vulnerable code contains (scheme redacted://, host messages.redacted.com, and parameter message_target_url=) by adding malicious URLs to an endpoint to launch arbitrary URLs to the internal web of the shopping application here is the final deeplink below.

In file PoC.html

As you can see above the poc.html was crafted on a malicious website to launch deeplink inside shopping app.

In Malware application

As you can see above a malware application or third-party application launch arbitrary URLs to the internal web of the shopping app.

December 18, 2021 — I reported this vulnerability issue.December 19, 2021 — The report has been review and confirmed the vulnerability.January 22, 2022 — The vulnerability has been patched and got a bounty.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through Facebook, LinkedIn, and Twitter.