In this blog post we show how multiple low-hanging fruit vulnerabilities in KakaoTalk’s Android app can lead to the disclosure of users’ messages. We will cover different topics ranging from Android AppSec to Web Security.TL;DRFirst things first: PoC||GTFO A deep link validation issue in KakaoTalk 10.4.3 allows a remote adversary to run arbitrary JavaScript in a WebView that leaks an access token in a HTTP request header. Ultimately, this token can be used to takeover another user’s account and ...