Hello friends I am Raju Kumar A.k.a Mrcyberwarrior. Let’s come to the story, I found vulnerabilities in the web as well as android applications of medium but the web vulnerabilities are not fixed yet so here I will discuss one of the bug found on the Andriod application ie. Exploiting activity. if you already know about jadx-gui and have a basic idea of android application can skip the first section and directly read the detection and exploitation of the vulnerability.

jadx: It is a command-line and GUI tool for producing Java source code from Android Dex and apk files.

AndroidManifest.xml: Every app must have an AndriodManifest.xml file.it contains information about your package, including components of the application such as activities, services, broadcast receivers, content providers etc.

Activity: An Android activity is one screen of the Android app’s user interface. It is defined in the androidmanifest.xml file.

for more information look into the developer guide https://developer.android.com/guide/

I decompile the application using jadx-gui then looked into the AndriodManifest.xml file. I found there SaveToMediumActivity is an activity that is exported. It means it can be launched by arbitrary apps installed on the same device.

Let’s jump into the code of SaveToMediumActivity to start analyzing the static code and its functionality what it does.

By using this application I detected there is a save button on each article published on medium and once the user clicks on the save button article gets added to the user saved list. As an attacker, I just think to save my own article which is not published on medium into the victim saved list.

As you can see in the above code It is saving the article in the saved list. Here the vulnerability exists. Attacker provided URL is loaded through getIntent().getStringExtra(“android.intent.extra.TEXT”)

Let’s exploit this using adb

adb shell am start -n com.medium.reader/com.medium.android.donkey.save.SaveToMediumActivity -e android.intent.extra.TEXT “https://attacker.com"

PoC of exploitation code in Java:

I created an application using the above code let’s exploit it.

Thanks for reading.

Bug Reported: Sep 29, 2020

Bug fixed and bounty rewarded: Oct 2, 2020

For queries, you can DM on Twitter. Feedbacks are always welcome.

Happy Hacking :)