Insecure deeplink handling

Open Redirect via insecure deeplink url handling

Description

The vulnerability were found in a Brazilian insurance Android app in a black box approach (without user account). This one were using a deeplink looking like target://open_browser?url=https://sub.target.br/something and I found that the "url" parameter used by the deeplink did not verify that the given URL were trusted allowing to redirect users to arbitrary domains.

Exploitation

First I analyzed the AndroidManifest.xml file of the APK to find the deeplinks that were used by the app.

I found that the app were using deeplinks like:

https://target.br, https://target.test-app.link and target://*

So after listing the application deeplinks, I started to statically analyze de code to check how these deeplinks were found. Unfortunately, the app were well obfuscated and it was hard to statically analyze it.

As I didn't have any account on the application, I also didn't found any information about it by using dynamic analysis.

So I kept digging and found that one of the firebase database used by the application was publicly readable (but without write rights). In this database, I found an interesting information.

Indeed, I found a deeplink like target://open_browser?url=https://sub.target.br/.

Firebase database read access

Immediately, I did what every hunter would do. I tried to trigger the deeplink with an arbitrary URL and it worked.

3 solutions:

  • via adb: adb shell am start -a "android.intent.action.VIEW" -c "android.intent.category.BROWSABLE" -d "target://open_browser?url=https://attacker.xyz/"

  • via a qrcode

  • via an other app hyperlink

The app opened my arbitrary url in my default browser app.

Unfortunately, as the URL were not opened in a webview directly in-app, I was not able to escalate the vulnerability or chain it with an other one.

Risks

The risks are mainly the same that on an open redirect on a website but on such context it is harder to chain the vulnerability with other vulnerabilities like XSS injection or Oauth ATO while the url were open in an other app (browser app) so it goes out of the application's context.

Anyway, attackers could still exploit this vulnerability for phishing purposes.

Reward

PreviousInsecure root detection implementation

Last updated