A Long Overdue Write-up: How I got into the Oppo Hall of Fame
I don’t do Bug Bounty programs much, so this section of the website will be as deserted as the roads when we all were in quarantine. If I happen to stumble upon some interesting bug I sit and try to dig deeper.
Yes, I stumbled upon this bug. Walking down the memory lane, last year, I caught hold of a Redmi device owned by my friend, Muhammad T S, and it was locked. Out of curiosity I turned on the screen and saw an ad (Ads or articles on Lockscreens deserve the same place in peoples minds as pop-up ads). I clicked on all the possible links and buttons and next thing I knew, I was on the main page of Google. Thereon, I was able to browse the internet like my own device. No restrictions. And I didn’t have to worry about the data usage.
I was too lazy to report that bug as it required me to invest a good amount of time from my busy final year days at college. I thought, “Maybe later”. After around two months, I found out that it was reported by someone else :( . My laziness cost me a Hall of Fame in Xiaomi. :((((((
Couple of days later my friend, Govind P, got a new Oppo phone. I checked out the phone and then locked the device. I turned on the screen and there it was, the disgusting Lockscreen ads with the same sh***y UI.
I thought about the steps to reproduce what I did on Redmi. I was presented with a screen as shown.
There was a “More” button which allowed me to read the article. I clicked on that. Clicking that opened up an article and i scrolled down to see if it showed an ad. Yes, it did and it was Google Ads.
If you ever noticed Google ads, they have a tiny close button (x) at the top right along with an info button (i). This is one of the moments where I want to say “I have a meme for that.!!”.
I clicked on that (i) and it showed me this:
It will minimize the article and show a menu like the one below.
Then I clicked on the Hamburger menu icon on the top left and another menu opened up.
Yeah you guessed it. I clicked the on the grid menu icon and guess what showed up! The Google apps. Yey!!!!!
I could take any apps from that. But if I took Google, it took me directly to Google Search. I could search anything and redirect to any websites.
I could even play YouTube videos.
As simple as that. No tool was employed to find out this vulnerability. It was an error in the implementation of the rarely used feature (Lockscreen ads / articles). The OS did not check for any authentication of the actions performed while in the Lockscreen. It might have assumed that it is safe because it’s the Lockscreen. (So is it a Lockscreen Bypass??? IDK, maybe…)
But wait, the article is not over!! The menu which showed Google apps was scrollable and it revealed Gmail when I scrolled down. So I clicked on that. It showed the login page of Google. Dead end? No! Because when I clicked the ‘Username’ field, Google’s Autofill showed up!!!!
Turns out, it was connected to the built in browser of the device and any passwords that were saved on that browser can Autofill in this Login page. Sadly, I could not further exploit this vulnerability as the Post Login page will be shown only after unlocking the device.
I decided to be less lazy and report the issue ASAP.
April 2019 - Reported the bug.
May 2019 - Issue was confirmed and was rewarded 10,000 INR.
The bounty took a long time to get credited, though!.
Hope you liked this article. :)