Nowadays many applications support two factor authentication with SMS messages to increase the level of security of your account. 
You login with a u

Google 2FA vulnerable code

submited by
Style Pass
2021-07-12 17:30:12

Nowadays many applications support two factor authentication with SMS messages to increase the level of security of your account. You login with a username/password and a secret code is sent to your phone to double check it’s really you.

At this address you can find the suggested way to handle a code received in a text message on Android. It is the official Android documentation from Google, available in many Stackoverflow answers too and currently implemented in many mobile applications.

As you can see the first step is about receiving an intent in a broadcast receiver informing the app that a SMS has been retrieved (step 1); after that a nested intent is extracted (step 2) and finally that nested intent is passed to startActivityForResult() (step 3). The idea is that the nested intent will show the user a consent dialog to allow the app to read the SMS message.

In this code the received nested intent is never validated. The application expects an ACTION_USER_CONSENT intent in order to work properly to show the consent dialog. The code blindly trusts the input and executes a startActivityForResult() on it. Now the problem is clear, right? :) As an attacker all you have to do is to send to the victim application a SMS_RETRIEVED intent with a malicious nested intent (the payload) that will be executed blindly by the victim app.

Leave a Comment