Closed erev0s closed 2 years ago
erev0s
commented
2 years ago 
hax0rgb
commented
2 years ago Thanks @erev0s, appreciate your contribution.
Regarding first fix, you are correct that "read contacts" permission is required. You can enable this permission by going to App Info > Permissions. Here you need to enable the Contacts permission. In the next release, I'm going to add a run-time contact permission. I'm going to review your changes and if all goes good, I'm going to push it in the next release.
The second one does not require any changes and is working as intended. Your changes suggest to add getStringExtra("url") which should allow you to load any URL. However, you can still load arbitrary URL with current implementation. You can intercept the implicit intent and load any arbitrary URL. This is a really tricky and interesting issue. I'll try to post the complete solution in next few months.
Reference: https://docs.insecureshopapp.com/insecureshop-challenges/intercepting-implicit-intent-to-load-arbitrary-url
erev0s
commented
2 years ago hey @0xgaurang thanks for getting back to me. In this case I can close this. Looking forward for your post.
shaiquie-zieye
commented
2 years ago 2. However, you can still load arbitrary URL with current implementation. You can intercept the implicit intent and load any arbitrary URL.
@hax0rgb do you mind highlighting how this can be done?
hax0rgb
commented
2 years ago Hi @shaiquie-zieye
I have highlighted the vulnerable code here: https://docs.insecureshopapp.com/insecureshop-challenges/intercepting-implicit-intent-to-load-arbitrary-url
You can take advantage of android.permission.SYSTEM_ALERT_WINDOW permission to intercept the intent and load arbitrary URL.
I'm planning to post a complete solution by next month. Sorry for getting this delayed.
shaiquie-zieye
commented
2 years ago You can take advantage of
android.permission.SYSTEM_ALERT_WINDOWpermission to intercept the intent and load arbitrary URL.
Thank you @hax0rgb for the hint.