Gcash Vulnerability Walkthrough
Advisory: Update your Gcash App now to the latest version.
Disclaimer: The purpose of this research is to improve and strengthen security all issues discovered in this research are reported to the security team. The researcher is not affiliated with any hacking groups. The researcher didn’t include the sensitive data in this write-up to reduce expose to the vulnerability. The researcher follows the vulnerability disclosure policy.
Key Findings
- A malicious actor can launch Arbitrary URLs, Universal Cross-Site Scripting (UXSS), and Files to the internal web of the Gcash application with or without user interaction using a malicious script and malware application.
- A malicious actor can launch a phishing site directly to the Gcash application without the user’s knowledge and specify.
- A malicious actor can steal the file system of the Gcash application including the user databases and sandbox files and send it to the attacker’s web server using intercepting implicit intent controlled by the malicious actor.
- A malicious actor can bypass the MPIN Passcode of the Gcash user account. Ability to transfer money to other Gcash accounts. Ability to withdraw money from the bank accounts. Ability to connect and disconnect bank account and other malicious activities.
- A malicious actor has the ability to takeover the Gcash application to steal user credentials including One Time Pin (OTP), MPIN Passcode and other malicious activities.
Introduction
First of all, I would like to thank Jaypee Marquez, and John Patrick Lita for helping me to reach out to the Globe Team and also to the Globe Team who have very quick responses, and for being responsible for my reports.
These days the scams and bank hacking incidents are growing so fast and even more, as a security researcher the idea to penetrate the Gcash Banking Application to test the security for a good reason to secure users and strengthen security, please don’t do this if you don’t have the right knowledge in penetration testing this can be cause serious damages to the company or organization.
What’s Gcash? According to them Gcash turns your mobile phone into a virtual wallet. Using Gcash app, you can pay for items and send money at the speed of a text message.
Alright, Let’s start I download the Gcash latest application version in the play store, take note that if you want to test an application always download the latest version in the google play store, and then I reversed the gcash app, after that I read one by one the source codes activities of the application and find bugs which were very difficult to understand some of them are encrypted and non-readable codes.
A few days passed I discovered vulnerabilities one by one, I developed a simple malware android application to exploit the vulnerability as my proof of concept. Please note that some of the vulnerabilities and proof of concept are still not added to this write-up please understand the confidentiality.
Imagine a serious vulnerability like this discovered by someone who has bad intention and use it for bad purposes it will give a million losses and impact both the users and the gcash company.
Arbitrary Deeplink Vulnerability
Some of the gcash activities are using deeplink Uri to launch URLs inside the gcash application without sanitizing the scheme, host, and URLs that pass through activity before implementation this can be used to Launch Arbitrary Urls, Uxss, and Files and also to bypass the host validation.
As you can see above instead of https://gcash.com it will redirect to https://evil.com also the scheme is not filtered out an attacker can use javascript:// below but not working.
Bypass scheme validation malicious
actors can use URL encoding to bypass
scheme validation and the XSS will fire
out.
In the same cases in the file scheme validation bypass, a malicious actor needs to know the right path of the gcash application to read the gcash app file system where databases and sandbox files are located.
If you’re not familiar with this kind of vulnerability you can read my write-up link: https://medium.com/5tCniETAFtb
Webpage Exploit
As you can see below this are the example of the crafted webpage where the malicious actor Launches Arbitrary Urls, Uxss, and Files.
Proof of Concept
Arbitrary Vulnerability
According to the android developer docs, an activity is considered exported in the following two cases.
- If the activity has android:exported="true" attribute in its definition.
- If android:exported is not defined at all then it should have at least one intent-filter in it.
In all the android app there is a file called AndroidManifest.xml.
As you can see above this is an activity
defined in android example app.
- The activity is com.example.android.MainActivity, this name is selected based on the directory a file is present in. So that name resembles that there is a file named MainActivity.java in the directory com/example/android/
- We can see that even though we didn’t set the android:exported attribute at MainActivity but still this will be considered exported because this activity has intent-filter defined.
Gcash Vulnerable Code
As you can see above this vulnerable code is from the gcash application the URL is passing through activities without sanitizing and validating the URL.
Malware Exploit
- Arbitrary URLs.
- Arbitrary Universal Cross-Site Scripting (UXSS)
- Arbitrary Files
If you’re not familiar with this kind of vulnerability you can read my write-up link: https://medium.com/iNMOgsBqBtb
Proof of Concept
MPIN Bypass Vulnerability
Let’s take a look below how Gcash
Application Security Implemented.
After passing the One Time Pin (OTP) Security the user is required to pass the user MPIN Passcode Security else if the user enables Biometric Security the user can log in without MPIN Passcode.
Finally, I discovered how to bypass the One Time Pin (OTP) security the only problem is when I tried to transfer money to other bank gcash accounts it will give an error after that a few hours it will automatically log out of the gcash account that’s why I have not included One Time Pin (OTP) Bypassed to the key findings.
Chaining One Time Pin (OTP) bypass to bypass MPIN Passcode using the same technique I developed an exploit application to bypass the MPIN Passcode and It works completely without any error I can transfer money to other Gcash accounts without passing MPIN Passcode Security.
Proof of Concept
Disclosure Timeline
- September 4, 2022 — I reported to the Globe Team about the multiple vulnerability issues that I discovered.
- September 5, 2022 — The vulnerability issue is confirmed and being processed.
- September 8, 2022 — Globe Team send me an appreciation token 0917Lifestyle gift.
- September 9, 2022 — I received the packages of the 0917Lifestyle gift (Smart watch, Mouse, Router, Power Bank, and Headphone)
- October 2, 2022 — Before I published my write-up I retest again the Gcash app to confirm the patched. I’m not able to reproduce the vulnerability issue.
- October 3, 2022 — Globe Team requesting to delete my write-up post the main reason is not fully patched waiting for the gcash confirmation. Implementing and adding security.
- October 10, 2022 — I receive the email that the vulnerability has been fully patched.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.
Don’t forget to follow and connect with me through LinkedIn, and Twitter.