How clicking a link can give away your precise location ?

Eagleweb

Kıdemli Üye
8 May 2021
2,120
1,151
localhost/e8
Hi everybody,
Today I will talk about a Hacking activity news on Shazm App.



logo.png

Summary

I found a vulnerability in the popular Shazam application that allowed an attacker to steal the precise location of a user simply by clicking a link! This was probably one of my most underrated vulnerabilities yet - it affected over 100 million users (at the time) and could access device features, protected by app permissions, from a single click of a link. In fact, getting creative it was also possible to make this a zero click vulnerability but unfortunately Apple and Google rejected this vulnerability for any reward under their bounty programs. (don't worry the issue was still resolved)

The report to Shazam's security team was made in December 2018 (3 months after acquisition by Apple). Instead of the expected triage reply I was directed to raise the issue with [email protected] - after a bit of back and forth the vulnerability was finally fixed on March 26, 2019. It took another 8 months before Apple gave recognition and confirmed this was not eligible under their bug bounty program. Despite having a previous bounty program Apple chose not to pay out and Google's own Google Play Security Rewards Program did not see your location data as a big enough security risk to award a bounty..


39nr6t4.png

Understanding the vulnerability

Shazam uses deeplinks throughout the app as part of its navigation. I found that a particular exported deeplink (which was responsible for loading a website inside an webview) was not validating its parameter, allowing external resources to be in control. This webview included a few javascript interfaces that allowed content to communicate with the Android & iOS API's making it possible to pull back device specific information and the last known precise location of the user.

The deeplink in question is The url parameter could either be a website or a script starting with scheme. Once the webview loads, the app would attach a javascript interface called which was accessible under the object. shazam://launchurl?url=javascriptWebViewJavascriptBridgewindow



setMessageHandler was a function that we could override to catch the response of an action requested through the function. This function expected a JSON object passed through it containing an additional two parameters; type and data. After some further R&D I was soon able to knock up a small proof of concept: sendMessage


nx80ole.png



KhJDZS.gif



86jq72e.png


Impact

This brings us on to how powerful this issue really was. With such a simple execution plan, attackers could have de-anonymized it's targets with ease. In the wrong hands, it could be dangerous. In the right hands, criminals who hide online behind a fake alias could be identified. But that turns this privacy issue into an ethical one and hey, I'm just a hacker!

Whilst I do love helping keep the internet a safer space, I normally choose bug bounty programs over vulnerability disclosure programs just for the fact you get rewarded at the end. A little bit disappointed on the no bounty decision given how popular the app is and what could be achieved but I still managed to learn a lot about javascript interfaces at the time which has helped me further down the line.




7h458cd.gif
 
Son düzenleme:
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.