Shopping App Deeplink Arbitrary URLs
In this write-up, I’ll tell you how I was able to launch Arbitrary URLs to the internal web of the shopping application.
Description
Due to the lack of URLs Sanitization that passes through activities, It’s possible to launch Arbitrary URLs to the internal web of the shopping application using a crafted website and malware applications. Also, I tried to bypass the host validation to launch Universal Cross-Site Scripting (UXSS) it seems looks not vulnerable to the attack since there’s another filter to the host.
- In file com/redacted/android/maintab/MainTabActivity.java
As you can see above the vulnerable code contains (scheme redacted://, host messages.redacted.com, and parameter message_target_url=) by adding malicious URLs to an endpoint to launch arbitrary URLs to the internal web of the shopping application here is the final deeplink below.
Proof of Concept
- In file PoC.html
As you can see above the poc.html was crafted on a malicious website to launch deeplink inside shopping app.
- In Malware application
As you can see above a malware application or third-party application launch arbitrary URLs to the internal web of the shopping app.
Disclosure Timeline
- December 18, 2021 — I reported this vulnerability issue.
- December 19, 2021 — The report has been review and confirmed the vulnerability.
- January 22, 2022 — The vulnerability has been patched and got a bounty.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.
Don’t forget to follow and connect with me through LinkedIn, and Twitter.