Leaking Kakao: How I Found A 1-Click Exploit In Korea's Biggest Chat App

yeah thanks welcome to my presentation as as you said my name is Davin I'm a researcher based in Munich and I will be talking about kaca talk which is South Korea's biggest mobile chat app and how I found a way to steal another person messages by just clicking a link yeah the structure of the presentation will be as follows um in the first part I will just talk about what kacao talk is all about how it works how the protocol works what are the basic flaws in the protocol main part of the presentation will be yeah the vulnerability that I found at the messaging app and yeah in the last part I will just uh

conclude all right so what's what's the caca so yeah as I said kaca talk is uh the biggest chat up in South Korea it's basically the WhatsApp of South Korea it has more than 100 million downloads from the Google Play Store and yeah nearly 43 million daily users um in Korea alone um and it's a socalled super app um whoever of you know maybe weat like it's a app with all the features included like R hailing um yeah payment services shopping features Etc not only chat so attack services are huge um yeah I'm talking about kaca talk they offer different chat rooms there's regular chat team chat secret chat and open chat so basically different chat rooms for

yeah different um usages and I took a look at the regular chat feature of the Android version 10.4.3 last year in December and yeah just took a look at it so under the hood there's a proprietary uh protocol called Loco so it's not the Berlin chicken brand or the Spanish word which means crazy it's presumably just like an internal project name made up by kaca Corp and it's a really straightforward basic protocol based on TCP and they just use binary Json under the hood so it's just uh Json in the binary format as as the name suggests and what they do they simply encrypt the traffic with an as key that is shared uh with the

company and talking about the architecture is also simp like a very straightforward um messaging architecture storn forward so that means there's a server in between and if for example one participant is offline the server could would cash your messages and if you get back online again then the server would forward the messages to the recipient yeah and already back in 2012 there was a researcher called Brian Puck and he rose engineered uh most parts of the protocol um already so 12 years ago and since then the core principles of the pro protocol haven't changed they just added some other features on top but since then there hasn't been any much changes and yeah that's an example of um

one of the packet payloads you can see uh in line number eight that they use like a so-called command or local command which is tied to each action and in this example um the SR command means that they that that you are sending a end to end encrypted message with with the caca talk app and then if you look at line number two like that's that's just like the p uh the payload and like in the middle of the screen the the M uh option that's just the message which is uh first encrypted and then uh basic C4 uh encoded and then and there's some some head of fields involved so yeah structure is pretty

pretty basic yeah and since it's like a simple protocol there also like some um yeah I would say um um yeah um vulnerabilities as well um so first of all there's no server authentication whatsoever so you know from htps you would um yeah you know that there's a server that presents a certificate to prove its identity but there for the local messaging backet there's no such a thing so yeah if you would present a rogue server that wouldn't be detected by the client um yeah I told you that there is um as encryption on the cipher text but there's no Integrity protection so you could potentially flip uh bits on the cipher text and since they use a malber

um Cipher text um no um block Cipher suit a block Cipher mode um in this case um sci-fi feedback mode um targeted uh bit flipping at attacks might be possible if you know parts of the plain text and if some of you remember maybe the chaos chaos communication Congress from 2018 there was a nice presentation on hacking PG pgp email clients and this was like called the eil attack and this was exactly what they exploited back then just by knowing some plain text and there wasn't any Integrity protection on the CER text you can basically inject your own code into into the cipher text yeah I also put um like a proof of concept on my GitHub if you want to play

around with the traffic um to just reproduce this um thing and yeah there's also no replay um attack preventions so um I was as I said just digging uh at the at the protocol with man in the middle proxy and you could just happily repeat the messages the client wouldn't they would the client would just um accept the messages and would wouldn't throw them away so there's no nons or fashist values or anything like that yeah coming to the main part after talking introducing Kaka talk um yeah like quick recap of the regular chat feature so that's the main thing used by all Koreans um it's just like as for any other chat app you have

oneon-one chat uh group chat functionalities and um yeah it's really popular in South Korea even government officials journalists like everyone in Korea uses kaca talk um for messaging um yeah it uses the local protocol under the hood um yeah and uh there is no endtoend encryption by default so unlike in WhatsApp or signal you have Enchanted encrypted messaging by default here is it's not enabled you just have this basic as encryption um so potentially the company could uh read your traffic or read your messages right um so I told you that um Kaka is like a Monster app or Allin app it has many features and it also has a shopping feature and this was actually

the entry point um that I found for my exploit chain so they have a VB view called Commerce buy activity and on Android a web VI is just like another way of displaying um websites in your app and the first thing as a as a researcher you dig for the um yeah low hanging fruits right and the first thing you usually uh look at is um yeah deep link pausing issues and that's what's the case here so um Commerce byy um activity they just rendered this web uh this URL here by. ca.com and you can start that with a deep link and on deep link deep links are a way on Android to start app

components so if you click this link here kaca talk SL slby on your phone then this we view on the right hand side will pop up on your phone and also cool from anext point of view it has JavaScript enabled and then it also supports the intent scheme so that's another Ur scheme for uh starting um um app components via JavaScript so if you would click like an intent URL on this side that could start like any app component in within kaca talk and the cool thing is also from a teas point of view um you could start non-exported um app components so if you like some of you might know Android development if you have like the Android

manifest and um you can set like app components to export it non-exported with the intent scheme you can even start non-exported um app components yeah but the best part um was that this uh VB you leaked an Nexus token in the HTTP request header and so my goal was okay can I somehow steal this token from the user and play with it so I dicted the Deep link uh paring or deep link validation so on the yeah on the top you see that they just hardcoded this URL um buy. by. ca.com and yeah this just gets rented in the web View and at the bottom of the page what they actually did correctly is to validate the scheme um so kaca talk

and the host component of the deep link which is the string by um so that's what they did correctly and you should always do that as well but then as you can see uh in this screenshot um they just used the format method of the string class to con Cate this string with like the path component of the URL query parameters or the fragment of the URL and that what I as an as an attacker could control um to give you an example at the bottom you can see so for example what was possible if you click this deep link kaca talk sl/ by/ F since fu is like the path component you can just this would

get injected and just append it to the real to the URL by. ca.com slf and this would be rendered then in the that view so yeah I thought Okay cool so this um those three parts I can I can control an attacker um okay now how could I possibly run my own arbitrary JavaScript in the web view so I like dig deeper so um for examp yeah what you straight the for the straightforward thing would be that you I don't know just include some JavaScript in the deeplink URL and I don't know would try to run this in the B view okay this didn't didn't work also there was no xss on bu. ca.com and also um I couldn't just man

in the middle of the traffic because there was HTTP involved and of course you could tamper with the phone and uh change some certificates on the phone but for that you need physical access to the victim's phone but I was lucky I found uh on this domain by.com I found this redirect endpoint clean front end redirect blah blah blah and this would uh redirect to any ca.com domain and that was pretty cool because this uh allowed me to find like this basically um um increased the scope of my xss because I could like just browse any of those subdomains for possible EXs flaws and that's what I did I continued digging digging um so basically this this was Al

also pretty much straightforward um I was browsing all Kaka com subdomains and just by using a Google do you just Google for it and you know that search fields are a prominent Vector for um xss flaws so I just included the search in the in the the Google query and yeah then I came up with a bunch of websites and um yeah I was lucky I found this shopping how. ca.com that had a xss in the in the search and I found this with burp Dom inv Vader tool so that's like a a feature of burps Ute uh to find excess flows in the Dom and this was the case here also payload in the yeah fourth

bullet point just a simple xss payload um nothing crazy fancy and yeah by this I was able to run my own arbitrary JavaScript in this particular uh web View and yeah I was able to steal the users's token all right uh final payload um just a conc concatenation of of of stuff um yeah you see at line number seven um that's the Deep link right kaca do /by then line number eight is the redirect that I use for redirecting to another subdomain uh line number nine is the vulnerable xss site and line number 10 is the xss payload and then you just like concatenate all this stuff together and you get this long link that the user

has to click right yeah another breakdown so that's the d link that would fire up the vulnerable Commerce buy Web view um yeah the redirect and yeah the shopping website which had the flaw um yeah the xss payload this would just um redirect the web view to my web server to my own server so with a document uh document location you can change the location of the web view basically and um I just had to um B 64 and code my server because there were some R checks on the server site going on yeah and with that deep link um yeah I could grab the access token from the from the user so I got the I got this token so

but but what could I potentially do with it um yeah the neat thing was that I could access another users's um kaca mail account with this access token and also another great thing was that I could create a new kaca mail account on the users behalf with this token and this would happily overwrite the previous registered email address address with no additional checks so of course this was cool because then I could just like create a new email address on the users behalf I could access the email and then what do we do you just reset the user password and yeah then I that's just really simple uh account account take takeover yeah there was some some client

checks going on through through the um uh password um reset procedures but they could also could also easily bypass with uh B because everything was um just implemented on the client side right U for the for the proof of concept I just pre-recorded a video because uh kaca Corp they fixed the issues um so what I for the proof of concept I'm just uh starting a HTTP server that would serve the Deep link then another window netcat listener that would grab the access token from the user um yeah then I would use this access token to take over another person's account and then um me as an attacker I would try to register like my

attacker's device to the users account so and by that the messages are synced so you know this probably from if you use like WhatsApp web or signal the signal desktop app that the messages are syc between between your phone and the desktop version and that was the case here they have like a cow talk desktop client and that swings your messages to your device and even though there was like a second factor involved so they uh require you to enter like a four-digit pin um and I couldn't brute force that because there was some rate limiting going on on the backand side but however I got I was in possession of the exess token and with the right curl command

you can just ask the back end and uh yeah it would happily tell you the pin which you can see like on the bottom of the page um so yeah I got the pin and basically could register my own phone to the victim's account okay demo or GTFO all right so what you can see here on the video on the left hand side is the victim um um Center top is the HTTP server that that serves the Deep link um Center bottom is the net listener for grabbing the token right hand side is the attackers device basically yeah I'm just chatting with the victim white is the victim yellow is the attacker okay I'm stealing your

messages all right okay I'm sending the server Ur that serves the Deep link going to see the get request okay now the Commerce buy thatb view opens or the JavaScript gets executed and it leaks the access token here I can grab it with netcat and then in the background I can reset the users password with that access

token right

okay and yeah you got the credentials and I just log in messages are being synced and I can access the victims yeah that's the victim's account and you see the same chat and now I'm just responding as the victim basically yeah okay right all right um coming to a uh conclusion oh yeah uh responsible disclosure so I um reported this um last year in December via kaka's Buck Bounty program and um yeah the fun fun thing was that there only entitled to Korean citizens so I didn't receive anything which is fine but it was a bit awkward um yeah the vulnerable web view was uh removed in later versions uh the redirect was removed and they also fixed

the exsis um yeah long time ago 2016 I already took a look at the caca talk I fought some protocol issues and I reported them back then um but they were never fixed I contacted them again now in July but I'm still waiting for a reply and if you want to read all the Corr correspondent I put like some like the correspondence with kaca on my GitHub if you want to read that yeah Lessons Learned for me at least um I think what which was uh fascinating that there are still like really really popular chat apps which don't need a crazy exploit chain to steal another person messages if you think about a WhatsApp or iMessage where

you need like a crazy exploit chain to take over another person's account here this was like just a simple uh deep link pring issue in the end with some combined issues on the backend side and um also if you think about maybe that app developers they might think okay Android is a secure platform I don't need to worry about so much about the code security as you have seen if you just introduce a simple logic buck in your code this could screw your entire Security even though having Android features like um app sand boxing and stuff like that and also like as far as I know those Mega apps they are still under represented in the research community

and I hope guys um this will encourage you to dig into this because there's plenty of attack surface and um yeah so yeah and that's it um yeah all my proof of concept code is online on GitHub there's also a full write up of this presentation if you want to read the details and if you want to reach out you can reach out here at the conference or on madon or yeah steel x um yep but now I'm I'm happy to take your questions [Applause] thanks who would like to have first question please go

ahead you mentioned that there were some other things that you found with caca talk can you say a little more about those or should you not since you've reported them and they're in process yeah there's um also like an entend encryption encryption feature in kakatoo called secret chat it's like a dedicated chat room just for endtoend encrypted messages and um yeah they had it's also based on this local protocol so this end to end encryption protocol was just like put on top of the old Legacy stuff so It suffers all the vulnerabilities as no Cipher text Integrity protection no server authentication no replay con um uh protection and um yeah so it's uh just suffers all the best practices that

you would see from an endtoend encryption protocol um and that's another thing I found I also put this on my blog like a dedicated blog post if you want to read this

yeah uh you mentioned that it's using AES protocol so it means that even the client uh key is stored on laptop locally uh this as key so that's attacker can potentially this use it no the the as key is basically if you install the app you store locally on your phone um like in in Ram or something um and on the server side so if you have mware on the phone of course you can dump the memory but it's like still sandboxed because like other apps cannot easily access the as key it's like because it's still like sandbox but if you like have a rooted phone for example um or malware in your phone then yeah you can get the

key

yeah uh thanks for your talk um I was thinking about a shortcut when they concatenate the k.com and the query part mhm um couldn't you just um pass a DOT in your own domain in the query part so that k.com would be interpreted as a subdomain of your domain and just skip the whole xss part or would the authorization header just be transmitted to The ca.com Domain exactly exactly I tried that as well but um yeah they just uh yeah they validate the bu. ca.com domain in the in the header okay yeah

yeah more questions please um why was the authorization header sent to your listener was it yeah um in the xss I basically put this document location so basically changing the the like the site in the in the web View and if you do that they send this HTP request to to your server like I put my urm there and they leaked the exess token in the request header so that's how you can grab it so it was already available in the JavaScript of the website yes okay

yeah uh thanks for the talk uh just have like uh just random question like uh if you would have used like BB collaborator to get the uh access token that would have worked or you need a listener um I haven't I think potentially this would also work yeah if you was just the collaborator yeah and like uh where did you host the net cat listener like just AWS instance would yeah for the P for the Pok just locally on my yeah but I think for real word attack is just like hosted anywhere AWS for example yeah all right

thanks thanks for the talk uh my question is more General about the local protocol so how do you approach uh the research on the protocol itself I think it is maybe closed Source or it it's open source but if it's Source how you started studying it so via like reverse engineering it collecting data or just uh you had some uh more knowledge about this just um yeah like I had a rooted phone and I just uh hooked the function cards with um um with the Freda and by that you can just like um dump the contents and um yeah like then I'm just dumping the the packets and hooking with it with the man in the middle proxy so

he just like hooked the function calls first with Freda to um basically um disable the encryption to in order to see the plane text traffic and then then you just Man In The Middle With man in the middle proxy yeah but also like but also like back in 2012 like there was also some re research already so some guy the Brian py already reversed many parts of the protocol so and since then it hasn't changed much this also helped of course yeah but since it's just based on TCP it's yeah pretty

straightforward hi uh I was just checking out their website and noticed that they have a finance assets thing does this is this also affected if you're aware of the feure no I'm not aware of the future feature they have like as they have like a corporate corporate or business chat feature it's called they call it wallet they have everything I don't know like they have I think it's really prominent for paying like if you want if you go to Korea that you pay with kaca talk I haven't taking a look at the payment feature yeah um but just at the F chat functionality but if there's a wallet probably there are maybe some bugs all right

thanks yeah thank you for the presentation I have question regarding the pin FR fion you have say this is uh this is no FR possible no and at the end you can find a ping on the server so uh maybe you can Le more about this so because this look like uh the result in both uh tool that's the verify tool and then you see the Ping so this is lock on so maybe more um yeah as I said I like I use a bunch of tools um for just poking at the the web traffic it's burp of course it's straightforward and for finding the Dom accesses if found I used the Dom Invader feature and then for poking poking at

the at the protocols at the local the proprietary protocol just man the middle proxy man dump Freda and that's it so not many net

cut one last short question Maybe

hi thanks for the talk uh which phone did you use for uh you said you rooted an Android right yeah can you recommend like an Android phone for there's one of the sponsors here um okay they they have phones that you can rout or that they provide root yeah have you used a physical phone or like in my case just an emulator yeah and the emulator is easy to root as well okay does it come rooted or you you just have to change the setting uh um yeah you can you need to put the system partition to uh read write when you start the emulator and then it can uh change certificates on the rout petition so but

it's straightforward you don't need like a rout exploit for the emulator okay thank you again Darin for your great presentation all right thank you