A humble first for a small series on leaky and vulnerable apps
The Samsung-exclusive app CNN for Samsung Edge
The included PoC uses mitmdump and python to extract received telemetry and modify content, replacing headlines, images, and links. While the PoC could use HTTP 301 to move the section-definitions to a third-party server, this has intentionally not been done, in order to ensure it’s easily reversible. As of writing, this exploit works with the most up to date version of the app.
Proof of Concept
Requirements: mitmproxy 4.0.4 installed on the PC (
pip install -r requirements.txt), CNN for Samsung Edge Panel (1.0.rc39) installed on the Samsung mobile device (available in the Galaxy Store)
Only tested with Python 3.6.5 on Ubuntu 18.04.1
1. On the test PC run:
mitmdump -s cnn-edge-panel-01/src/demo.py --anticomp --anticache --ignore :443$
2. On the Samsung mobile device: set the test PC as the HTTP proxy of the device
3. (not necessary) On the Samsung mobile device: open a browser and go to a website, if you see “…
4. Open the CNN for Samsung Edge Panel app. If the PoC works, you should see all categories being renamed “Hacking”, and all the news being replaced with jokes. Pressing “Hack all the things”, should then open a YouTube video. Additionally, the terminal should have at least one line reading “Got metrics …”, config.outturner.com, metrics.cnn.com, and compositor.api.cnn.com.
Depending on caching, you might experience that the sections retain their unmodified names if this happens but the headlines and such changed, the app didn’t reload edge-config.json but did reload the section. As of writing, it appears edge-config.json has been 404ed, the PoC has been updated to bypass this.
- HTTPS, not HTTP being used in the app, HTTP 301, HSTS on compositor.api.cnn.com
- edge-config.json only lists HTTPS URLs
- edgepanelkill.json only lists HTTPS URLs
- 2018-09-11 Issue reported to Samsung
- 2018-09-14 Samsung dismisses issue (not a Samsung app)
- 2018-09-14 Issue reported to CNN
- 2018-10-06 Issue reported to CNN
- 2018-12-16 Report published