I’m glad you’re here. Please have fun reading (nmochea).
I found out that I have a chance to use HTML payload without passing through sanitization inside <title> tag.
In com.android.browser.readmode.e.java snippet code
In file:///android_asset/readmode/reading_mode_html_internal.js snippet code
After getting the HTML <title> tag to the string, it will not pass through sanitization.
Step to Reproduce
- Create malware_frame.html file with following content
- Create poc.html file with following content
- Run local server localhost:8080
- In browser, open the following url http://localhost:8080/poc.html
April 30, 2021 – I reported it on HackerOne Platform regarding this vulnerability issue.
May 8, 2021 – My report has been triaged.
May 17, 2021 – Vulnerability has been fixed and got bounty.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.