Mobile applications

The goal is to find critical vulnerabilities in Yandex apps.
Testing scope: all public Yandex apps.

The reward amount may increase or decrease depending on the exploitation method and app.

See the full list of apps here.

Keep in mind that the number of app downloads, popularity, and the amount of data it processes also affect the reward.

Category
Description
Reward, USD
Arbitrary code execution

Execution of code in a running app without explicit user consent and additional OS permissions.

For example:

  • Overwriting the.so executable with a malware.so file
  • Execution of Java Exec function with arbitrary command
$1500 - $5500
Remote exploit
$3000 - $11 000
Unauthorized access to user authentication data
Vulnerabilities related to gaining access to account login and password or OAuth token.

For example, the ability to load an arbitrary URL in WebView combined with OAuth token theft.

$800 - $5500
Remote exploit
$1500 - $11 000
Access to sensitive data
Vulnerabilities related to accessing sensitive data processed by a mobile app
$500 - $2000
Other vulnerabilities

Other security vulnerabilities, such as:

  • Application logic manipulation (e.g. mutable deeplinks)
  • Intent redirections (only with impact demonstration)
  • Path traversals (e.g. zip slip) allowing to overwrite a file in the app's private container
  • Phishing by arbitrary URL loading in WebView
$100 - $1500

This competition is designed to test the security of mobile apps for Yandex services.

In deeplinks
Our apps implement a lot of deeplinks - sometimes dozens or even more. We are particularly interested in the attacks on those that can be used to affect an app's operation (mutable deeplinks) or to access sensitive data, for instance:

  • Deeplinks that can be exploited to make an app call a bug hunter-controlled web service using session header substitution
  • Deeplinks that can be used to change an app’s preferences, for example, used backend: yamobileapp://debug?set_api_backend=//example.com


In WebView
Our apps can also contain WebView components. This usually involves filtering the domains that can be loaded into WebView. We are interested in attacks allowing to bypass those filtering restrictions.

Sometimes WebView can access JavaScript Interface/Bridge to implement advanced functionality. We are interested in scenarios where you can display a controlled domain in WebView and use the available JS interfaces, for example, to get the current geolocation.

In the user account synchronization system

Our apps use Account Manager for seamless authentication. We are interested in the ways third-party apps can get access to a user account.

This contest covers the following exploitation method
Category
Description
Fully remote exploit

For instance, if sending a message that doesn't need to be opened to a user or sharing the same Wi-Fi network with a user is enough

1-click exploit
A user needs to be persuaded to click a link and open a Yandex app
Malware installation
Malware must be installed by a user. Please note that the reward amount is reduced due to the difficulty of the exploit
The following data is considered sensitive
📍 Geodata
  • User location data
  • Saved private addresses
  • The ability to view a user’s location
💰 Financial data
  • Transaction history and account balance
  • Limits on Yandex Split
  • Information on contractor earnings
💾 Service data
  • Information on user's trips or orders
  • Emails, meeting details, and documents
  • Alice skills
  • Search history
  • Real (not substituted) phone numbers of users / couriers / drivers / advertisers

Restrictions:

  • 1-click exploit implies that all it takes to reproduce the vulnerability is to click a link.
  • Fully remote exploit implies that no user action, whether an app installation or a click, is required. For instance, a vulnerability can be exploited while sharing a Wi-Fi network, within Bluetooth range, or by sending an email or message to a user.
  • By default, a vulnerability should affect the latest app version. Reports of exploits that work only in an app version other than the current one are unlikely to be rewarded.
  • Hardcoded API keys are rewarded only if security engineers prove resource exhaustion. Please do not attempt API key attacks on your own.
  • Public zero-day vulnerabilities in third-party dependencies patched at least 2 month ago are considered individually and only against proof of exploitation.


Yandex doesn't reward:

  • Reports of scanners without proof of exploitation
  • Vulnerabilities that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.
  • Vulnerabilities that require physical access to a device.
  • Lacking or insufficient security of SSL/Certificate pinning.
  • Lack of environment attestation.
  • Sensitive data storage in plain text in a private app container without proving that the data can be accessed externally.
  • Authentication data obtained other than by exploiting a mobile app vulnerability
  • Strandhogg and similar vulnerabilities
  • Unauthorized access to non-sensitive media files in an app container
  • Vulnerabilities that require excessive user actions.


Wed Oct 09 2024 09:51:59 GMT+0300 (Moscow Standard Time)