Skip to content

tarantula-team/Traveloka-Android-App-Critical-Vulnerability

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

Traveloka Android App Critical Vulnerability

Exported Webview in Traveloka Android app lead to opening arbitrary URLs/XSS (by any third-party apps) or read any protected files (with a physical access)

Researcher: Tony of The Tarantula Team, VinCSS (a member of Vingroup)

Background

We found an exported Webview Activity (com.traveloka.android.activity.common.WebViewActivity) in Traveloka Android app but it didn't have any protection mechanism. It means that it can be accessed by any third-party apps installed on the same device (No need to be a rooted device). On the newest Androids it also could be exploited by Android Instant Apps directly from a Web Browser.

In com.traveloka.android.activity.common.WebViewActivity, We can see that this Webview will get the URL from the Intent data and load it:

And because this Webview and most of Traveloka's Webview enabled Javascript Interface. So we can opening arbitrary URLs/XSS with com.traveloka.android.activity.common.WebViewActivity

We also can read any protected files from /data/data/com.traveloka.android/* directory (By default on Android, you cannot access and read the content of the files stored in /data/data/ directory if your device is not rooted.):

Traveloka has stored a lot of sensitive customer information (including account information, fingerprint tokens, OTP tokens and more) in the Shared_Prefs folder, so we can get a lot of sensitive information through this vulnerability:

So, with this Vulnerability, a malicious application or an application of Traveloka's competitors may equip the exploit code to do the following:

  • Makes the Traveloka app never run (by passing Extra data or malformed data into vulnerability Activity).
  • Execute Javascript code to display deceptive, fake or politically sensitive content on Traveloka App's Activity, or display phishing content to trick Traveloka users into providing sensitive information. There is no way to use Javascript to get sensitive information directly.

Or an attacker who have physical access to user’s device can:

  • Read sensitive protected files via this vulnerability. Yes, attackers need physical access. Because there is no way for a third-party application to read the content of sensitive files directly in this case.

Steps to Reproduce

Install Traveloka Android app V3.14.0 or earlier (https://play.google.com/store/apps/details?id=com.traveloka.android) and login with any customer account

If you want to reproduce this vulnerability with adb:

adb shell am start -n com.traveloka.android/com.traveloka.android.activity.common.WebViewActivity -d "file:///data/data/com.traveloka.android/shared_prefs/com.traveloka.android.pref_user.xml"
adb shell am start -n com.traveloka.android/com.traveloka.android.activity.common.WebViewActivity -d "javascript:alert\(1\)"

If you want to reproduce this vulnerability with third-party app:

Intent intent = new Intent();
intent.setClassName("com.traveloka.android", "com.traveloka.android.activity.common.WebViewActivity");
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.setData(Uri.parse("file:///data/data/com.traveloka.android/shared_prefs/com.traveloka.android.pref_user.xml"));
startActivity(intent);

Tested versions

Lastest version of Traveloka Android app (V3.14.0). Release: September 03, 2019.

Disclosure timeline

  • August 05, 2019: Report submitted to Traveloka.
  • September 03, 2019: Not receiving any response from Traveloka security team so far.
  • September 17, 2019: Send the last warning to Traveloka via Linkedin. Still not receiving any response from Traveloka security team so far.
  • September 22, 2019: Discuss with Traveloka security team and agree to keep my Github post in private mode until new version (v3.15.0) is released.
  • October 7, 2019: setting up the Github post became public after Traveloka had released version v3.15.3.

Reference

[1] CWE-926: Improper Export of Android Application Components

About

Exported Webview in Traveloka Android App lead to opening arbitrary URLs/XSS and read any protected files

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published