Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In an Android Manifest, the most interesting part is anything with android:exported="true". If it has a deeplink, then it makes it possible to trigger from just a single link on the web. There were several of these scopes within the context of the Bixby Launcher Activity, used for voice-activated commands.

One of these handled a full URL string, such as samsunginternet://com.sec.android.app.sbrowser/Task/Path?params. For the AccessWebsite task, it performs input validation on the URL before launching it.

Upon launching this activity, a check was made to see if it was allowed. The goal of these checks was to ensure that it wasn't an emulator, it was ONLY a VIEW action, and that the referrer comes from BIXBY itself. The only one with meaningful protection is the com.samsung.android.bixby.agent check. This ensures that the intent can only be triggered from a particular package. Upon finishing validation, it would call com.sec.android.app.sbrowser.SBrowserMainActivity.

The SBrowserMainActivity activity was also exported. The accessWebsite activity checks whether a tab exists. If not, it would open the URL in a new tab. Otherwise, it will immediately call loadUrl(str).

The bug is that the SBrowserMainActivity is exported! So, all of the previous input validation can be ignored and this called directly. By setting the URL to be javascript:alert(origin) after loading a page, you get XSS on the loaded page! Because of how this works, this leads to XSS on ANY website. Pretty neat!

The bug was pretty awesome but I found the ordering of the article somewhat hard to follow. It was hard to determine what was important and what wasn't. They also only got $2.7K for this vulnerability, even though it could have been catastrophic.