Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This vulnerability used a plethora of issues to eventually steal all cookies from an Android device. It is always fun to see multiple smaller issues chained together.

When testing the content URIs, the author noticed that Firefox was manually changing this to a FILE URI and writing the content to the OS.

First, Android has the concept of content-providers. The content-provider can help applications manage data access from itself and other applications. In this case, the content provider for Firefox was verbose; anyone with access to the Firefox content-provider could access ANY data that Firefox controls (including cookies in the SQLite DB).

The Same Origin Policy (SOP) FILE URIs is pretty clear in the Mozilla docs. For this exploit, the only relevant 'a file can access its own contents'.

Why do all of these things matter? What if we could create a file (with the content URI) that suffices the SOP but points to some other data? Using the three quirks above, it is possible!

The following steps were taken, in order to make this attack work locally:

1. Have Firefox fetch content://org.mozilla.firefox.fileprovider/root/sdcard/Download/profiles.ini.
2. Firefox fetches this content & saves it in /sdcard/Download/profiles.ini. Then, the user is redirected to THIS location.
3. Request a file with the SAME name (but from a different directory). This will overwrite the content currently being displayed by the user.
4. Files can now be accessed across boundaries IF they have the same name!

To make this work remotely, just use the deep-linking feature.

Super interesting find that took me a few reads in order to understand. At the end of the day, this came down to over verbose permissions and weird parsing functionality.