Journey from low to critical bug $$$

Android insecure IPC leads to Full Account Takeover via IDOR

Hello folks,

I’m Dheeraj Madhukar, a working professional. After been working for a long time for enormous government as well as private organizations in the field of Cyber Security, VAPT & Forensics.

I started around 7.5 years ago, during this phase i never tried any Bug Bounty platform, until now. So i decided to share my experience with you !

In this writeup I am sharing few of the scenarios which I reported to a private program. Let’s have two scenarios:

Scenario#1

Let’s consider the org name as “example.com”. So i decided to start with Android App. First, i used apktool to decompile the app to analyse AndroidManifest.xml file and then searched for activities in which
exported=”true” ’. I found one:

As we can see this activity is called as “ForgetConfirmPassword” that means we can directly call this activity to bypass the forgot password process which will lead us to Insecure IPC [ Inter Process Communication ] bug in the Android App.

Insecure IPC [ Inter Process Communication ] : Android Mobile communication is possible by using internal communication mechanism and sending intents to each other. Intents can be sent by an invalid caller i.e. a malicious app, which can be abused to cause your application to perform sensitive actions without your control.

PoC

adb shell am start -W -n com.exmaple.ForgetConfirmPassword

Let’s dig more !!!

Scenario#2

N
ow… Let’s turn on the burp suite and intercept the mobiles’ traffic. So i just put random password and click on “Reset Password”. Here is the request in burp:

As we can see there is only one JSON parameter called “password”, so i sent the request to repeater and put another JSON parameter “email” with my test email address and Sent. BOOM !!! It looks like this:

Now i can reset any users’ password by using the same request, which will lead me to Full ATO [ Account takeover ].

I hope you get some motivation to do bug bounties and See you again in next writeup.

Twitter profile: @Dheerajmadhukar

Linkedin profile: @dheerajtechnolegends

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store