Android insecure IPC leads to Full Account Takeover via IDOR
I’m Dheeraj Madhukar, a working professional. After been working for a long time for enormous government as well as private organizations in the field of Cyber Security, VAPT & Forensics.
I started around 7.5 years ago, during this phase i never tried any Bug Bounty platform, until now. So i decided to share my experience with you !
In this writeup I am sharing few of the scenarios which I reported to a private program. Let’s have two scenarios:
Let’s consider the org name as “example.com”. So i decided to start with Android App. First, i used apktool to decompile the app to analyse AndroidManifest.xml file and then searched for activities in which
‘ exported=”true” ’. I found one:
As we can see this activity is called as “ForgetConfirmPassword” that means we can directly call this activity to bypass the forgot password process which will lead us to Insecure IPC [ Inter Process Communication ] bug in the Android App.
Insecure IPC [ Inter Process Communication ] : Android Mobile communication is possible by using internal communication mechanism and sending intents to each other. Intents can be sent by an invalid caller i.e. a malicious app, which can be abused to cause your application to perform sensitive actions without your control.
adb shell am start -W -n com.exmaple.ForgetConfirmPassword
Let’s dig more !!!
ow… Let’s turn on the burp suite and intercept the mobiles’ traffic. So i just put random password and click on “Reset Password”. Here is the request in burp:
As we can see there is only one JSON parameter called “password”, so i sent the request to repeater and put another JSON parameter “email” with my test email address and Sent. BOOM !!! It looks like this: