Skip to main content

Passcode Protection Bypass By Brute Forcing On zoho (Cliq Application)

First We discuss about what is passcode and Why it is Implemented in  Mobile Applications.


PASSCODE Implemented in Mobile Application to protect Applications from an Unauthorized Access.like for example your cliq or any application account is logged in mobile phone .any your friend ask you to give phone , your friend try to open cliq application to see your message, but your friend cant open the application without entering passcode . he have to enter passcode for open, so it is an extra layer security in  applications.
Passcode protection implemented in Android Application is an extra layer security to protect an unauthorized access.

How Passcode Protection is bypassed by Bruteforcing?

You know that passcode protection or pin protection in mobile applications have some attempt to enter passcode , if you enter  wrong passcode more than 5 times or 10 times based on application security , User logged out automatically and redirected to login page.but due to some loop holes some application not automatically logged out but it  give a  warning message., and an attacker can easily brute forcing passcode .

HOW I BYPASSED PASSCODE PROTECTION ON CLIQ?
Open cliq Application , apply passcode protection.
Open application , application asked to enter passcode.now enter passcode three or four times, a prompt shown like > maximum attempt , account will be logout.   
                                    
IF I click on ok i  logged out an  redirected to login ,and now   i kill the application from background without clicking on ok button , Reopen the application at this time the warning message not showing and i  can attempt passcode for 1 time again

for seeing this i got an idea? can i automate this task?

1.I Decompile the application and open AndroidMainfest.xml file and searching for a activity that can directly call by adb. like an activity have intent filter or having exported attribute set to true  are launched directly by adb .
2. I found an activity  lib.zoho.videolib.AudioMessageActivity that can be directly called.



3 .I connect phone to pc and enter command

 adb shell -> am start -n com.zoho.chat/lib.zoho.videolib.AudioMessageActivity 
Repeat this many times. on hitting this passcode activity opened again, enter passcode again .

for performing this task automate i  created an application that launched after every 5 seconds with this activity.

By performing this i bypassed the cliq application passcode protection by brute force.
Timeline :
Mar 25, 2020 - Bug Reported to ZOHO

Mar 26, 2020 - Status changes to Triaged | Explained how to reproduce the bug
Mar 26, 2020 - Nice Catch! from ZOHO
Apr 9, 2020- Bounty Awarded $$$ +Hof
Labels:

Comments

blog_first said…
wht is the zoho version of apk
April 12, 2020 at 1:28 AM
Unknown said…
We provide the best services, which are redefined, best-revised services. Work in Cyber Security to provide an integrated service in Cloud Computing, Web Development, Digital Solutions, and Technical Support.
February 18, 2021 at 1:38 AM
Post a Comment

Popular posts from this blog

Exploitation of Improper Export of Activities In Android Application

In android You know that every GUI interface is an  separate activity. An activity represents a single screen with a user interface just like window or frame of Java. In An application there are many activities depend on application functionalities. Let's take a example : An application that have   three modules login , register and   dashboard . For that there are there are three different activities for all these modules. What is export Means Here? In Android Application there is an attribute android: exported =true or false . This attribute is used in android   to provide an access to   other third party application to start their service , activities   and receive broadcast   messages. Like for an Example : If an application    have broadcast receiver to receive any events or message , if in that application exported attribute is set to true then this    broadcast message   can also receive by other thi...
Post a Comment
Read more

A New Way Of Brute force Passcode/Pin Protection By deep link

DESCRIPTION : AS you know already that what is passcode protection and why it is applied ? And how it is bypassed normally ? If you don’t know please read my previous blog:   https://negativewives.blogspot.com/2020/04/passcode-protection-bypass-by-brute.html                                                                                When any passcode protection is implemented first check any activity is exported or not ? Here we  only talking the scenario where no activity is exported in application   PROCEDURE : Open Application after implementing passcode protection. You see that passcode activity is launched first Go to AndroidMainfest.xml file and check launch mode of passcode activity . Question Arises in your mind   - ...
Post a Comment
Read more