QQBrowser Vulnerability
QQBrowser is a popular app in App Store, which ranks top 3 of tool category in China. The iOS app provides network service for 2 commands, which are “url” and “installurl”. Except the “installurl” command which will drive the app to navigate to items on App Store, there are additional 9 sub commands behind “url” providing more functionalities. “tel” for dialing a specific number, “sms:” for sending sms message, “itms-services://” for installing an app, etc. All these sub commands are enclosed in the body of a post request. By sending post request, an attacker can remote manipulate the app.
Demo:
Send command to drive QQBrowser to dial a number, to navigate a designated URL, to send a sms message.
Vendor response:
Official response from vendor's security response center (translated by google translate)
Official response from vendor's security response center