Xiaomi URL Address Bar spoofing w/ SSL vulnerability or, CVE-2019-10875 - Was it intentionally kept in the global versions by Xiaomi? - Andmp | A blog about infosec, bug hunting and more!

"Good artists copy; great artists steal."

Just another web hacking and vulnerability research blog that details how I use existing knowledge and old ways to discover new vulns ;)

Breaking

ad

Post Top Ad

Friday 5 April 2019

Xiaomi URL Address Bar spoofing w/ SSL vulnerability or, CVE-2019-10875 - Was it intentionally kept in the global versions by Xiaomi?

Introduction


Image result for Xiaomi

Are Chinese device makers on purpose making their software and OS insecure for international markets? Chinese manufacturers have always been well-known to have weaponized their products, and made them vulnerable for attackers or, themselves.

Xiaomi has always been criticized for pestering users with unwanted bloatware apps like Sharetrend (for example, users were forced to download it as part of an update) and it's unwanted ad campaigns. I recently came across this, since finally MIUI 11 will get rid of all those unwanted malicious ads and bloatware, comes as a great relief for users, right? Well, there's more to it than disturbing ad content and things as such.

Speaking of Xiaomi browsers, they lack even the most basic security features like XSS auditors. So, you are always at risk if you are using it. I advise using Chrome rather because it has a good XSS filter.

- Xiaomi Browsers don't have an XSS auditor. - As an example, XSS attacks become simple - Also, common XSS attacks like ones in which you redirect to a javascript/data URI work in Xiaomi, thus making it the least secure, lacking basic security features. For a demo, type javascript:alert(); in Xiaomi browser and hit enter. There is no XSS auditor to protect you against such XSS attacks.




In this case, I found a simple vulnerability in Xiaomi's browser applications. Interestingly, their Security team (MiSRC) confirmed the security issues to be present in their global or, overseas versions and not in their domestic ones. Thus, they inadvertently conveyed the fact that only International versions of their browsers were insecure to this vulnerability, which made me ponder into it.

 A question that arises is: Are they targeting International users in particular for efficient phishing campaigns, ad campaigns and distributing unwanted software or, malware? Lots of possibilities with things like this.


2 popular browser (global) versions are affected by this vulnerability (latest global versions), namely:
   - Mi Browser (official pre-installed default app for every Xiaomi device), with over millions of installs
   - Mint Browser (global versions)

I have been testing MIUI for security bugs, for sometime now and have reported multiple security issues as such on their pre-installed apps and the MIUI OS (as a whole).

However, as for this bug, I would call this an accidental discovery, cause it didn't require much effort but somehow I decided to test a certain feature in their browser which was behaving somewhat abnormally, than expected.

How I discovered the bug?


Firstly, to every person who knows a bit about browsers, it seems pretty much as if they were trying to make the way Google search appears on their browser or, any other search engine's overall UX on their browser better, for which they tried to display only the "search query" on their URL Address bar

This is the first idea that comes to mind, and indeed, this is how I first hit upon this bug, quite unknowingly, when I once just opened a Google (query) search link in the Mi Browser, and that's how it all started.

This is the sort of link I tried to open in Mi Browser, and ironically this is the PoC for my bug, it shockingly needs almost 0 user interaction to exploit, just make a victim open this link and yeah, that's all to it,

https://www.google.com/?q=www.domain.com


Technical Details

When you try to open a link with a query portion with that URL, Xiaomi's browsers try to display it as search engines would display it in the search bar. This is where the issue arises.

For a link such as this, 
https://www.google.com/?q=www.domain.com

The URL bar would display www.domain.com, and I guess that would give you a better search engine experience with this browser.

This is exactly where the problem arises, because the URL bar doesn't display the full URL, and this not only happens in case of popular search engine websites but also with other websites.

Thus, the issue is due to the way the Browser tries to render or, display the URL in the address bar, for example,

https://www.evil.com/?q=www.google.com

The website www.evil.com com can thus pretend to be www.google.com because of the way, the Browser handles the query parameter 'q' of the URL. It just happens with the parameter q. 

The browser in such cases would only display the content in the parameter 'q' of the whole URL, but not the whole URL.


Video PoC

Impact?

Mi Browser is the default browser app to open such links, making it susceptible to phishing attacks. This makes it quite feasible to execute successful phishing, and ad campaigns on Mi devices, even for Xiaomi themselves.

Coming back to the previous point, it appeared quite normal for the search term to appear on the browser's search bar, but what if that's the only thing which is being displayed on the Address Bar of the browser. Yep, that's what I observed, when I tapped on the URL Bar, I found only the "www.domain.com" and not the entire domain https://www.google.com/?q=www.domain.com was being displayed.

This initially kept me skeptical but I assumed that this was intended by Xiaomi, keeping (popular and major) search engines in mind, to enhance user feel and feedback, overall UX. But, guess what? 

I went ahead to try this oddly interesting behaviour with my own blog's URL (which isn't a popular search engine), guess what happened after that? I managed to reproduce the same behaviour with other websites including mine as well, as shown here, 
https://www.andmp.com/?q=www.google.com

And presto!


The URL on the address bar, appeared as www.google.com with that SSL lock in the corner, although I was actually visiting my own blog www.andmp.com. Neato, for phishing?

Xiaomi's blunder or, rather, was this intentional on Xiaomi's part?


My Opinion


The first thing that comes to one's mind after seeing this is, "This is a feature not a bug, right?"

But wait, Xiaomi proved me wrong. Their security team MiSRC acknowledges it as a High Risk security issue for their global users. So, here I am, going a bit further and maybe, I will add more of my personal opinions on what I studied through all this - this maybe biased, and unacceptable to some, but yeah, feel free to skip this part and dive straight into the PoC part, who cares about that after all?  This is still unpatched as of now, in the latest release of the Global versions of Mi Browser and Mint Browser as available on Mi Appstore. I haven't been provided any ETA or, such assurances that it would be fixed at the soonest, nothing as such, they just said their Business were repairing or, had fixed it, but truth is even if they have done so, the patched version hasn't made its way to release as of yet. 

Up until now, everything I have said or, their security team told me, might sound queer, namely "global users", browser bar including nothing but the search query in the query parameter q, and not the entire URL. So, what's going on?

Xiaomi confirmed that this was the case with their Global variants of Mi Browser. What about Chinese ones, balls wonder? But, according to them, going by their own words, DOMESTIC VERSIONS didn't show this behaviour. Why so? 

Maybe, they targeted International Users for malware/unwanted software/ad campaigns. Should we rule out this possibility, given the nature of this bug, it goes unnoticeable (appears quite normal) but it's there?

Chinese (mobile) brands and device makers are infamous for this reason, they don't  care about security and privacy, I can give a lot of examples in this regard to prove my point, but let's keep that for another post, shall we?
Let's blame their aggressive marketing, ad campaigns and phishing campaigns for these security issues. Chinese brands have always found new ways to mint money, even after the device has been bought, that maybe in the form of unwanted advertisements popping out of every other native app, harmful bloatware and as such.
But this time, it's a vulnerability that can trick a user into believing that YOU ARE VISITING GOOGLE.COM BUT ACTUALLY YOU ARE VISITING EVIL.COM. However, that isn't my point, look at the simplicity of the bug and how it appears as part of the feature rather than being a vulnerability itself? Well that's how smart Chinese developers seem to be.

Strangely, it's only present in Indian and overseas versions. So, was Xiaomi trying to find a way in which it can effectively distribute malware and set up phishing ad campaigns to trick it's International users who were blindly relying on this default in-built browser, should you trust Xiaomi in that case for anything, even your messages, or, any personal information stored on your phones? Well, this is what Chinese companies are known for internationally. 

Given the nature of this bug and how it can pass without being noticed, makes me feel it's intentional. Also, because it was not there in Mi Browser of Chinese versions of MIUI. This is mainly the reason behind my speculations!


Some Attack Scenarios

Some Technical Prospects about this attack, for why this maybe a phishing trap intentionally set by Xiaomi for its foreign users towards whom they targeted their ad campaigns,

As an adversary, one can preferably use a URL shortening service to further make this attack simpler, and more unnoticeable while directly sending links to victim users.

 - The PoC or, exploit needs almost zero user interaction. User clicks on the link and off you go!
 - Malicious pop ups, they are now easier than ever to execute large-scale successful phishing campaigns!
 - Lastly, this seems like a huge flaw left purposefully by Xiaomi who promote such advertisement campaigns by their partners.

This can even effectively be used to trick a user and steal his/her credentials, ask how?

 -> Attacker sends you crafted link
    -> Thereafter, he adds /?q=target.com to every menu link and everywhere you can click on the phishing page which successfully spoofs every bit of user interaction in the best way possible to give you an as much as real experience with the target web page which might be Google sign in page, just for example. 


Xiaomi Security Team's response and Reward

They took sometime in confirming that this bug only affects the Global/overseas versions of their browser applications.

They paid out a very low and unfair bounty, although they are a multi-billion dollar company.

The vulnerability impacts millions of users globally yet the bounty offered as such was, $99 (for Mi Browser) and another $99 (for Mint Browser).



Ridiculous, Xiaomi calls itself a multi-million dollar company and this is how they compensate researchers for their efforts in reality



Image

Peace!

2 comments:

  1. This problem persist in Mi browser (global) since 2 year. that why i uninstalled this browser.

    ReplyDelete
  2. "The vulnerability impacts millions of users globally yet the bounty offered as such was, $99 (for Mi Browser) and another $99 (for Mint Browser)."

    In all fairness, the most common reward around here is a customized FU followed by a keep your mouth shut "or else". Really puts into perspective those $99.

    ReplyDelete

Let me know what you felt after reading the article!

Post Bottom Ad

Pages