#bugbounty
You must love #Android deeplinks! They are the easiest way to get bounties
1. Decompile an app with jadx
2. Collect all deeplink handlers from AndroidManifest.xml, they look like <data android:scheme="airbnb" android:host="d"/>
You must love #Android deeplinks! They are the easiest way to get bounties
1. Decompile an app with jadx
2. Collect all deeplink handlers from AndroidManifest.xml, they look like <data android:scheme="airbnb" android:host="d"/>
3. Grep among all sources and resources a pattern from a handler, in this case, airbnb://d
4. You could find a lot of hardcoded urls like airbnb://d/openurl?url=https:// airbnb.com/blabla. That's much simpler than learning app's sources
4. You could find a lot of hardcoded urls like airbnb://d/openurl?url=https:// airbnb.com/blabla. That's much simpler than learning app's sources
5. Now try to put your own domains with adb (adb shell am start -a android.intent.action.VIEW -d airbnb://d/openurl?url=http:// evil.com) or on HTML pages (check out the H1 report below)
6. Repeat the same thing for iOS apps. Usually, functionality is similar, but actual implementations are different
That's how I found hackerone.com/reports/401793 and earned $7.5k
That's how I found hackerone.com/reports/401793 and earned $7.5k
