Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Wind Vision is a digital television service in Greece. All digital content is received via IP networks and it aims to be a next generation TV system. Because of this, the phone app is quite popular with over 50K downloads for Android.

What initially caught the researchers eye was the login flow. To login, the application opens a browser tab. If the credentials are correct, the user is logged in and the user would be navigated back to the application using deep links. There is a nice gif of the flow of the site.

A Deep Link is a way to create your own URL scheme in order for an application. There are also App Links which are mostly the same. The main difference is that a deep link can only be opened by the designated app and there is a validation done at installation time to ensure this. Normally, an application wants to restrict who can all this endpoint and wants to restrict who can use the URL.

By double registering a URL handler on a different application, the user MUST chose which one to go to. Because we are good social engineers, they will go to the malicious application.

Now, the authorization flow goes through the OAuth dance. Then, it sends the selected application an auth code. With control over the auth code, this can be turned into an Access Token quite easily! This could have been avoided if the OAuth2 with PKCE was used.

The author made an application to do exactly what we were talking about. Although this requires a malicious application to be downloaded and a bad click on the users part, this is still a really interesting finding! In the future, I will take the android:autoVerify="true" flag on an Android configuration more seriously.