Skip to content

Microsoft Authenticator’s Unclaimed Deep Link A Full Account... #2054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Microsoft Authenticator’s Unclaimed Deep Link A Full Account... #2054

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 50 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,53 @@ adb shell am start -a android.intent.action.VIEW \
- **Operational tips**: capture multiple payload variants (external URL vs `javascript:`) and replay them quickly against a device/emulator to distinguish real issues (open-redirect/auth-bypass/WebView URL injection) from static-analysis noise.
- **Automation**: [Deep-C](https://github.com/KishorBal/deep-C) automates deeplink hunting by decompiling the APK (apktool + dex2jar + jadx), enumerating **exported + browsable** activities, correlating weak validation and `WebView.loadUrl` flows, and emitting ready-to-run adb PoCs (optionally auto-executed with `--exec`).

### Custom-scheme handler hijacking of onboarding / auth tokens

Custom schemes are convenient, but they **do not prove ownership**. If an app ships a sensitive onboarding or login flow that places a bearer-like secret inside a URI such as `myapp://bind?code=<token>`, another installed app can register the same scheme and receive the full deep link when the victim opens it from a QR scan, browser, or any other implicit `VIEW` trigger.

Typical attacker manifest:

```xml
<activity android:name=".StealerActivity" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="myapp" />
</intent-filter>
</activity>
```

Minimal interception logic:

```java
Intent intent = getIntent();
Uri data = intent.getData();
String code = data != null ? data.getQueryParameter("code") : null;
// Exfiltrate or replay the token
```

Why this matters:
- If the deep link transports an **authorization code, bootstrap token, magic-login token, device-binding token, password-reset secret, or any other reusable credential**, this becomes an **account takeover / session takeover** primitive instead of just a local intent-routing bug.
- The issue is especially relevant in **QR-driven mobile onboarding** because users commonly scan with the camera app and then tap the OS "open link" prompt, which triggers an implicit `VIEW` resolution outside the trusted app context.

How to test:
- Look for authentication-related deep links in manifests, Java/Kotlin, and backend responses (`login`, `bind`, `register`, `signin`, `oauth`, `activate`, `reset`, `magic`).
- Confirm whether the flow places secrets in URI **query/path parameters** instead of retrieving them through a trusted app-to-backend exchange.
- Install a PoC app that claims the same scheme and replay the victim flow from every entry point you can reach: QR scan, HTML link, and adb:

```bash
adb shell am start -a android.intent.action.VIEW \
-d "myapp://bind?code=test-token"
```

- Check whether the attacker app receives the full URI, whether a chooser appears, and whether the intercepted token can be replayed remotely to finish login/onboarding.

Hardening notes:
- Prefer **verified `https` App Links** over custom schemes for security-sensitive flows.
- Do not embed reusable secrets in hijackable deep links; bind them to the app/backend session and expire them after one use.
- If a custom scheme is unavoidable, treat every inbound parameter as attacker-controlled and avoid using it as a standalone authenticator.


## AIDL - Android Interface Definition Language

Expand Down Expand Up @@ -537,8 +584,10 @@ Tools / scripts that speed-up Binder reconnaissance:
- [Android manifest provider: writePermission](https://developer.android.com/guide/topics/manifest/provider-element#wprmsn)
- [Android ContentResolver.update()](https://developer.android.com/reference/android/content/ContentResolver#update(android.net.Uri,%20android.content.ContentValues,%20java.lang.String,%20java.lang.String[]))
- [Deep-C – Android deep link exploitation framework](https://github.com/KishorBal/deep-C)
- [Unsafe use of deep links - Android Developers](https://developer.android.com/privacy-and-security/risks/unsafe-use-of-deeplinks)
- [Create deep links - Android Developers](https://developer.android.com/training/app-links/deep-linking)
- [Microsoft Authenticator’s Unclaimed Deep Link: A Full Account Takeover Story (CVE-2026-26123)](https://khaledsec.medium.com/microsoft-authenticators-unclaimed-deep-link-a-full-account-takeover-story-cve-2026-26123-e0409a920a02)

{{#include ../../banners/hacktricks-training.md}}