ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792

Summary

I found a vulnerability in the popular Shazam application that allowed an attacker to steal the precise location of a user simply by clicking a link! This was probably one of my most underrated vulnerabilities yet - it affected over 100 million users (at the time) and could access device features, protected by app permissions, from a single click of a link. In fact, getting creative it was also possible to make this a zero click vulnerability but unfortunately Apple and Google rejected this vulnerability for any reward under their bounty programs. (don't worry the issue was still resolved) The report to Shazam's security team was made in December 2018 (3 months after acquisition by Apple). Instead of the expected triage reply I was directed to raise the issue with [email protected] - after a bit of back and forth the vulnerability was finally fixed on March 26, 2019. It took another 8 months before Apple gave recognition and confirmed this was not eligible under their bug bounty program. Despite having a previous bounty program Apple chose not to pay out and Google's own Google Play Security Rewards Program did not see your location data as a big enough security risk to award a bounty..
The vulnerability affected both Android and iOS devices, this was tracked under CVE-2019-8791 and CVE-2019-8792

Understanding the vulnerability

After decompiling the mobile app and working out how these interfaces operated I found that this object had 2 primary functions - setMessageHandler and sendMessage.

setMessageHandler was a function that we could override to catch the response of an action requested through the sendMessage function. This function expected a JSON object passed through it containing an additional two parameters; type and data. After some further R&D I was soon able to knock up a small proof of concept:

Proof of concept

An attack flow could look something similar to this

Attack flow

Impact

This brings us on to how powerful this issue really was. With such a simple execution plan, attackers could have de-anonymized it's targets with ease. In the wrong hands, it could be dangerous. In the right hands, criminals who hide online behind a fake alias could be identified. But that turns this privacy issue into an ethical one and hey, I'm just a hacker!

Any one had a similar experience in the past? Would love to hear - leave your comments below!

Follow @AshleyKingUK

Similar Articles:

Vulnerability in WebEx and Zoom allows hackers to access their sessions

Vulnerability in WebEx and Zoom allows hackers to access their sessions

Serious Chrome zero-day – Google says update “right this minute”

Serious Chrome zero-day – Google says update “right this minute”

Malicious websites were used to secretly hack into iPhones for years, says Google

Malicious websites were used to secretly hack into iPhones for years, says Google

Flaw in iPhone, iPads may have allowed hackers to steal data for years

Flaw in iPhone, iPads may have allowed hackers to steal data for years