I found a vulnerability in the popular Shazam application that allowed an attacker to steal the precise location of a user simply by clicking a link! This was probably one of my most underrated vulnerabilities yet - it affected over 100 million users (at the time) and could access device features, protected by app permissions, from a single click of a link. In fact, getting creative it was also possible to make this a zero click vulnerability but unfortunately Apple and Google rejected this vulnerability for any reward under their bounty programs. (don't worry the issue was still resolved)
The report to Shazam's security team was made in December 2018 (3 months after acquisition by Apple). Instead of the expected triage reply I was directed to raise the issue with firstname.lastname@example.org - after a bit of back and forth the vulnerability was finally fixed on March 26, 2019. It took another 8 months before Apple gave recognition and confirmed this was not eligible under their bug bounty program. Despite having a previous bounty program Apple chose not to pay out and Google's own Google Play Security Rewards Program did not see your location data as a big enough security risk to award a bounty..
Understanding the vulnerability
The deeplink in question is
shazam://launchurl?url= The url parameter could either be a website or a script starting with
After decompiling the mobile app and working out how these interfaces operated I found that this object had 2 primary functions -
setMessageHandler was a function that we could override to catch the response of an action requested through the
sendMessage function. This function expected a JSON object passed through it containing an additional two parameters; type and data. After some further R&D I was soon able to knock up a small proof of concept:
An attack flow could look something similar to this
This brings us on to how powerful this issue really was. With such a simple execution plan, attackers could have de-anonymized it's targets with ease. In the wrong hands, it could be dangerous. In the right hands, criminals who hide online behind a fake alias could be identified. But that turns this privacy issue into an ethical one and hey, I'm just a hacker!
Any one had a similar experience in the past? Would love to hear - leave your comments below!