#bugbountytips
An almost universal way to theft or overwrite arbitrary files on #android is sharing activities. You can find them in AndroidManifest.xml. They handle android.intent.action.SEND. Use the PoC from blog.oversecured.com/Evernote-Unive… (ctrl+f "EXTRA_STREAM") and test 4 scenarios:
An almost universal way to theft or overwrite arbitrary files on #android is sharing activities. You can find them in AndroidManifest.xml. They handle android.intent.action.SEND. Use the PoC from blog.oversecured.com/Evernote-Unive… (ctrl+f "EXTRA_STREAM") and test 4 scenarios:
1. Send a Uri to an internal file using file:// scheme (direct or using a symlink)
2. Send a Uri to an internal file using a victim app's internal content provider
now grep private file contents on SD card
2. Send a Uri to an internal file using a victim app's internal content provider
now grep private file contents on SD card
3. Send a Uri to your own file like explained in the article above (test _display_name and last path segment values to be vulnerable to path-traversal)
now run "ls -la dir | grep file_name" on /sdcard and /data/data/app
and also read hackerone.com/reports/288955, love that technique
now run "ls -la dir | grep file_name" on /sdcard and /data/data/app
and also read hackerone.com/reports/288955, love that technique
The same happens to pickers, but there is a separate article for this blog.oversecured.com/Interception-o…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
