Exploiting iOS app for fun and profit 💲💲💲

Hi readers , I hope everyone doin’ well . In this blog I’m gonna share one of my recent finding on iOS app .This app highly used in India and currently it’s on top charts under education section . For NDA policy I can’t disclose the app name .

So , this iOS app is kind of learning platform where students can join teachers’ classes , comment/react on teachers posts and so on.

When someone comments on any teacher’s post , it’s visible to everyone . Now that post comment field is link injectable . So , if you comment anything like https://google.com/ , that link will be clickable and will open it on WebView (inside app).

Now the worst thing is that the iOS app WebView is misconfigured . Whenever URL opened inside WebView , cookies leaked to that URL . Fun part is that app stores auth token inside cookie header , it’s easy for me to perform account takeover .

I’m not a iOS pentester , but I found a piece of code ,if I’m not wrong I think that might be the issue behind this type of cookie leaking :

What happened when others click on my commented link ?

  • When user click on my commented link , that link will open on WebView and that logged in user’s cookies will be leak to my server like this .

Now using that cookie on iOS app ,will give you access to that user account and you will able to perform actions. Here below I requested /api/v1/user/me with that cookie (auth token)and in response I got the user’s email , phone number, permissions and tokens .

Reported this issue to the vendor and got triaged , after few conversation with the team they marked this as high severity and I got rewarded .

I hope you enjoyed my blog <3.