Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in Vault's WebView #1253

Open
mvettosi opened this issue Jan 10, 2025 · 1 comment
Open

Security vulnerability in Vault's WebView #1253

mvettosi opened this issue Jan 10, 2025 · 1 comment

Comments

@mvettosi
Copy link

mvettosi commented Jan 10, 2025

Braintree SDK Version

4.41.0

Environment

Production

Android Version & Device

No response

Braintree dependencies

com.braintreepayments.api:paypal

Describe the bug

It was raised that our app, when loading the Vault's WebView opened by the Braintree SDK to allow the user to save a PayPal account, opens to a serious security vulnerability.

Follows the description as it was submitted to us. None of the recommendations to fix it seem accessible from our code and no options for them seem to be exposed from the SDK, hence opening this issue to understand if there's something the app developer is supposed to do to prevent these, or if it's an actual bug of the library.

Summary

A security vulnerability has been identified in the application that utilizes a WebView for payment processing via PayPal. The combination of debug mode and JavaScript execution enabled in the WebView allows an attacker on the same network to intercept sensitive user interactions, potentially leading to credential theft and redirection to malicious phishing sites.

Vulnerability Details

The vulnerability arises from the following conditions:

  • WebView Debug Mode Enabled: This setting allows attackers to inspect the WebView and manipulate its content.
  • JavaScript Execution Allowed: When JavaScript is enabled, it opens up avenues for Cross-Site Scripting (XSS) attacks, enabling attackers to execute arbitrary scripts within the context of the user’s session.

Impact

An attacker could:

  • Intercept User Credentials: By observing the user's actions in the PayPal payment window, attackers can capture sensitive information such as usernames and passwords.
  • Redirect Users: Attackers can redirect users to malicious sites that mimic legitimate payment gateways, facilitating phishing attacks and potentially leading to unauthorized transactions.

Recommendations

To mitigate this vulnerability, it is recommended to:

  • Disable WebView debug mode in production builds.
  • Restrict JavaScript execution within WebViews or ensure that only trusted content is loaded.
  • Implement Content Security Policies (CSP) to limit sources of executable scripts.

To reproduce

  • Set Up:
    • Ensure that the app is installed on a device.
    • Connect the device to a network where you have access to other devices (e.g., a local Wi-Fi network).
  • Enable Debug Mode:
    • Use Chrome's remote debugging tool by navigating to chrome://inspect on your desktop browser.
    • Open the app on your mobile device.
  • Observe WebView Activity:
    • In Chrome's inspect tool, locate the WebView instance of the app.
    • Monitor network requests and interactions while performing a transaction using PayPal.
    • for poc i executed javascript to redirect user

Expected behavior

It should not be possible to locate the app's WebView from external dev tools and manipulate its javascript code.

Screenshots

@sarahkoop
Copy link
Contributor

Hi @mvettosi, thanks for reporting this - we are investigating internally and will post here when we have an update!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants