According to the reports shared with Cyber Security News, the main entry point of this vulnerability is the CommerceBuyActivity webview which has multiple attack points as follows:
- It can be started with a Deep link (adb shell am start kakaotalk://buy)
- Javascript enabled
- Supports Intent:// that can be used to send data to other non-exported app components via JS
- No sanitization
- Leaks an Authorization HTTP header that can be done through Netcat listener in a terminal window and running the $ adb shell am start kakaotalk://buy to start the CommerceBuyActivity WebView
However, though there is an option to leak the Authorization header using GET request, there is small validation there that prevents an attacker from loading any arbitrary attacker-controlled URLs. To overcome this issue, the code was analyzed which provided information that the path, query and fragment of the URL are using the attacker’s input.
URL Redirect To DOM XSS
As KakaoTalk has a same origin policy that does not load any arbitrary URLs, researchers were checking to see if there are any Kakao domains that are vulnerable to DOM XSS. There was one endpoint identified that was vulnerable to redirection to any Kakao domain.
To leverage this same site open-redirect for malicious purposes, there was an XSS flaw discovered. This XSS flaw was found in the m.shoppinghow.kakao.com subdomain which used DOM Invader Canary string and already had a Stored XSS payload. The XSS payload was so simple which was “>.
So combining this XSS, attackers created a malicious deep link which was kakaotalk://auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Y25001977964/q:”>.
This leaked the user’s access token via the Authorization header which was then sent to the attacker-controlled server by encoding the attacker URL to base64.kakaotalk://buy/auth/0/cleanFrontRedirect?returnUrl=https://m.shoppinghow.kakao.com/m/product/Q24620753380/q:”>.
As a matter of fact, this token can be used to take over the victim’s Kakao mail account that was used for registration. Additionally, if the user does not have a Kakao mail account, an attacker can still create a new Kakao Mail account and see the chat messages. Furthermore, another interesting thing is that the Kakao Mail account overwrites the user’s previous registered mail address without any additional checks.
Further, the researchers have also detailed about password reset, via Burp, malicious Deep link creation and a Proof-of-concept has also been published on GitHub.