Franc shipped an Android feature that loads “trusted” web content into a WebView. The app receives a deeplink
containing a url parameter and decides whether to attach a privileged header:
• If the target host equals www.example.com, it appends an internal Authentication Bearer header.
• Otherwise, it loads the URL normally.
Franc is proud of one thing: he locked the host.
He ignored the security team’s warnings about webview takeover ...
“WebView takeover… so what… they can’t get my token.”
What you should send ?
A payload in any form :)
What this payload should do?
It should force the app to send the token to any given server.
If your payload does such a thing...report it imediatelly to https://twitter.com/Ch0pin as
he is responsible for this mess. We will add you in our HoF for that, but no CVE ....
constrains: No root/frida/etc...
Hint: Solve this first by loading ANY website in the application's webview (not the browser)
Franc is a beginner Android developer who was tasked with creating an app to securely store a secret in the
SharedPreferences folder. Lacking experience in secure coding practices, Franc came up with a peculiar
solution: he added a button to the app that crashes it deliberately, hoping this would deter any attempts
to exploit the app.
Your challenge: Develop an app that outsmarts Franc’s flawed logic. Force his app to send you the secret
stored in its SharedPreferences and display the secret in a TextView within your app.
What you should send ?
- The exploit for Franc's app (an apk or code which I just need to copy/paste to an empty Android studio project)
- A paypal account to receive your 80 euro reward
Ahhh.....
Unfortunately, Frank is on a tight budget, so only the first solution will receive the reward. The rest will earn a spot on our humble wall of fame. :)
Good luck !
We've launched a super-secure browser with unique security settings, and we take pride in our product.
We're actively working to enhance the user experience by addressing a few UI design issues, including
an intermittent webview jumping when typing. Your feedback and support are essential in making our
browser even better.
If you manage to send our secure cookie to www.example.com then report it imediatelly
to https://twitter.com/Ch0pin as he is responsible for this mess. We will add you in our HoF for
that, but no CVE (Although I think you can request one).
constrains: No root/frida/etc... The poc should work for SDK version > 32
Good luck !
Can you change the "Connected to" to point to your server, without braking the sandbox ?
NO ADB, NO ROOT, NO FRIDA/OBJECTION solutions are accepted... Just plain user input
Submition: PM me at @ch0pin and I'll add your name to the Hall Of Fame
Do you have something to teach to the community ? then just Clone -> PR -> And we will see about it :)
- @jackds.nl (first blood)
- @tomisec
- @iamsalimabdella
- @minamikazecafe
- @Ath3r1s
- @hulkvision
- @fr4via
- @tntnavigator
- @zep3hyr
- @AlQa3Qa3M0x0101
- @happyjester80
- @AhcenZen
- @joo_elsaka
- @gelosecurity
- Mohamed Salah
- @sdexyz (first blood)
- @bl4ckh0l3z
- @pm_atbrik
- @megatr0nz
- @kirasumairu1
- @thongvv10
- @rpinuaga
- @_blackb3ard
- @EzV01d
- @jgmfingers
- @komen205
- @s5uraj
- @saitawngpha
- @norvarius
- TheDauntless
- @minamikazecafe
- @saspect488
- @tomiwa_ot
- @SeanPesce
- @bernasv
- @hulkvision
- @tomisec
- @iamsalimabdella
- @fr4via
- @xbr01_
- @AlQa3Qa3M0x0101
- @happyjester80
- @joo_elsaka
- @r_srikesh
- @Wixter_07
- @AhcenZen
- Mohamed Salah