Skip to content
This repository was archived by the owner on Mar 30, 2022. It is now read-only.

two fixes for two vulnerabilities #4

Closed
wants to merge 3 commits into from
Closed

two fixes for two vulnerabilities #4

wants to merge 3 commits into from

Conversation

erev0s
Copy link

@erev0s erev0s commented Oct 16, 2021

  • the first fix is regarding the fileprovider and the fact that in order to be able to read the contacts you actually have to request the permission at some point. I have added that to be done right after the login.
  • the second fix is regarding the ProductDetailBroadCast which i believe it was intended to have the url as put extra being assigned from the incoming intent.

@hax0rgb
Copy link
Contributor

hax0rgb commented Nov 9, 2021

Thanks @erev0s, appreciate your contribution.

  1. Regarding first fix, you are correct that "read contacts" permission is required. You can enable this permission by going to App Info > Permissions. Here you need to enable the Contacts permission. In the next release, I'm going to add a run-time contact permission. I'm going to review your changes and if all goes good, I'm going to push it in the next release.

  2. The second one does not require any changes and is working as intended. Your changes suggest to add getStringExtra("url") which should allow you to load any URL. However, you can still load arbitrary URL with current implementation. You can intercept the implicit intent and load any arbitrary URL. This is a really tricky and interesting issue. I'll try to post the complete solution in next few months.
    Reference: https://docs.insecureshopapp.com/insecureshop-challenges/intercepting-implicit-intent-to-load-arbitrary-url

@erev0s
Copy link
Author

erev0s commented Nov 10, 2021

hey @0xgaurang thanks for getting back to me. In this case I can close this. Looking forward for your post.

@erev0s erev0s closed this Nov 10, 2021
@shaiquie-zieye
Copy link

2. However, you can still load arbitrary URL with current implementation. You can intercept the implicit intent and load any arbitrary URL.

@hax0rgb do you mind highlighting how this can be done?

@hax0rgb
Copy link
Contributor

hax0rgb commented Jan 4, 2022

Hi @shaiquie-zieye

I have highlighted the vulnerable code here: https://docs.insecureshopapp.com/insecureshop-challenges/intercepting-implicit-intent-to-load-arbitrary-url

You can take advantage of android.permission.SYSTEM_ALERT_WINDOW permission to intercept the intent and load arbitrary URL.

I'm planning to post a complete solution by next month. Sorry for getting this delayed.

@shaiquie-zieye
Copy link

You can take advantage of android.permission.SYSTEM_ALERT_WINDOW permission to intercept the intent and load arbitrary URL.

Thank you @hax0rgb for the hint.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erev0s @hax0rgb @shaiquie-zieye