![]() ![]() The odd behavior occurs when unauthenticated user tries to fetch non-existing page, instead of a regular 404 page, the application responds with 200 status code empty page and adds user into recognized devices!! Making this the weirdest and simplest authentication bypass we ever seen :). Yes! a fully functional proof of concept would be as simple as Once a valid session is retrieved at least once, application adds the user to recognized devices and accepts any incoming download requests from this user. When a user with no valid session tries to download a file from the device using the previously mentioned URL, the application responds with 403 response code with an error message saying “The request is not from anyshare user!”. SHAREit <= v4.0.34 exhibited a very odd behavior that lead to authentication bypass. So we can download whatever files we want from victim’s device but getting a valid session would trigger the alarms when they see unusual session and limiting it only to people we exchanged files before would dramatically decrease success rate, so what is next? 2. For example to download a file from user’s device, all you need to do is to have a valid SHAREit session with this user at least once to be added to recognized devices then go to This will download /data/data//shared_prefs/Settings.xml which is the settings file for SHAREit application. The problem occurs mainly because the application fails to validate msgid parameter enabling a malicious client with a valid session to download any resource by directly referencing its identifier. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |