Broken Link Hijacking — 404 Google Play Store— xxx$ Bounty
2021-12-15 15:02:50 Author: infosecwriteups.com(查看原文) 阅读量:54 收藏

Proviesec

Hello Folks 👋 , this is my first write-up and I will tell you how I ended up getting an xxx$ bounty for a simple Broken Link Hijacking with Google Play Store.

Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page. Broken Link Hijacking comes in two forms, reflected and stored. This issue has been exploited in the wild numerous times, but surprisingly few researchers actively look for broken links in bug bounty programs.

And here is my story:

I was on the corporate site of a larger company and fired up my “broken link hijacking” scanner (You can find tools for this at the end of the article). With this, I found several links, but one link piqued my interest a lot. It was a status 404 (not found) link pointing to the Google Play Store. Since I have already developed apps myself, I knew that the Play Store links are unique and correspond to the package name of an app. So I took a closer look at it and was able to adopt the link. After I took over the link, I reported the bug and even got a reward for it.

  1. I visit the homepage https://redacted.com/about (redacted.com Since I am not allowed to mention the real company name.)
  2. Click on “Mobile App for Android”
  3. Then the link led to a Status 404 page (not found — see figure below):
    https://play.google.com/store/apps/details?id=com.XXredactedXX.android
  4. Since the app name was not present in the App Store, someone can simply take over this name.

I checked if the name (com.XXredactedXX.android) was still free and since it was free I registered it. Here is a good guide to registering names in the Google Play Store: https://support.google.com/googleplay/android-developer/answer/9859152?hl=en

The ‘package name’ is an ID parameter in the URL of the web page where your app resides on the Play Store. It simply comes from a field you or your developer will enter in your Google Play Console. The letters after the “=” sign are the app’s package name. (e.g., Facebook Lite package name in bold: https://play.google.com/store/apps/details?id=com.facebook.lite&hl=en&gl=US)

The applocationId name is the package name.

A victim can come to the page e.g. through link forwarding, search engines or phishing mailing. If he now wants to download the app, an attacker can load a corrupt app into the app store. This could damage the reputation of the company or fish for login data.

Timeline:

Submitted: 05 Aug, 2021

Accepted: 10 Aug, 2021

Triaged: 19 Aug, 2021

Resolved: 07 Oct, 2021

How Can your Find Broken Links?

Similar reports:

https://hackerone.com/reports/1117079 https://hackerone.com/reports/1205604 https://hackerone.com/reports/1188629 https://hackerone.com/reports/1338457

Also look for broken links on websites. Such bugs can also earn you a bounty, are often overlooked and can also have fatal consequences for a company.

Since this is my first report, please feel free to ask me and suggest any changes that I should consider next time. Thank you for reading anyway.👋


文章来源: https://infosecwriteups.com/broken-link-hijacking-404-google-play-store-xxx-bounty-96e79a8dfd71?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh