| 제목 | Groww Groww Android Application Latest Available Version Weak Client-Side Protection and Unsafe WebView URL Handling |
|---|
| 설명 | The Groww Android application contains an internal WebView activity that can be invoked in a privileged ADB/debug environment. During testing, arbitrary external URLs could be rendered inside the application WebView, and JavaScript execution within the trusted application context was confirmed using a controlled demonstration environment.
Additionally, weak enforcement of the client-side application lock allowed navigation into portions of the application interface without passcode re-validation after activity invocation.
The issue requires privileged device access (ADB/debug environment) and does not result in server-side authentication bypass or direct account compromise.
Security Impact:
Rendering of attacker-controlled content inside application WebView
Potential UI redressing or phishing-style abuse under privileged device conditions
Weak local app-lock enforcement
Attack Requirements:
Physical/debug access to device
ADB-enabled environment
Existing authenticated session |
|---|
| 원천 | ⚠️ https://github.com/honestcorrupt/Groww-Android-Application-Unsafe-WebView-URL-Handling-Weak-Client-Side-App-Lock-Enforcement.git |
|---|
| 사용자 | honest_corrupt (UID 85229) |
|---|
| 제출 | 2026. 05. 08. AM 08:51 (1 월 ago) |
|---|
| 모더레이션 | 2026. 06. 12. AM 09:33 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 370560 [Groww Stock, Mutual Fund, Gold App 까지 20260805 켜짐 Android WebView URL] |
|---|
| 포인트들 | 20 |
|---|