Insecure Broadcast Receiver

The activity com.insecureshop.AboutUsActivity is exported and contains the following code:

public void onCreate(android.os.Bundle savedInstanceState) {
        com.insecureshop.CustomReceiver customReceiver = new com.insecureshop.CustomReceiver();
        this.receiver = customReceiver;
        if (customReceiver == null) {
        registerReceiver(customReceiver, new android.content.IntentFilter("com.insecureshop.CUSTOM_INTENT"));

Observe that during onCreate method execution, a receiver is registered. The code highlighted above says the receiver named customReceiver will trigger when the intent filter com.insecureshop.CUSTOM_INTENT is called.

The class com.insecureshop.CustomReceiver contains the following code:

public final class CustomReceiver extends android.content.BroadcastReceiver {
    public void onReceive(android.content.Context context, android.content.Intent intent) {
        android.os.Bundle extras;
        java.lang.String stringExtra = (intent == null || (extras = intent.getExtras()) == null) ? null : extras.getString("web_url");
        java.lang.String str = stringExtra;
        if (!(str == null || kotlin.text.StringsKt.isBlank(str))) {
            android.content.Intent intent2 = new android.content.Intent(context, com.insecureshop.WebView2Activity.class);
            intent2.putExtra("url", stringExtra);
            if (context != null) {

The above code says the onReceive method will be called first which receives the value of web_url from the intent. Its value is further assigned to the variable str. If the value of str is not empty, then this value is passed to the class com.insecureshop.WebView2Activity and is assigned to url as extra.

Exploitation (!!SPOILER!!)

Refer the following video which shows how you can exploit this by creating a third-party android application.

Last updated