I found a security vulnerability in Rocket's latest android app by which I was able to remotely crash any user鈥檚 app instantly just by just sending a simple message in private or in channel. The vulnerability require the victim open the message.
Rocket.Chat.Android version: (e.g. 4.5.1)
Mobile device model and OS version: (tested on :+1: -- " Android 6.0, 8.0, 10.0"), probably any other android version
Create new #test channel
Send POC Code onto the channel
Open Mobile App
App gets crashed



https://pastebin.com/raw/JEDcC5Yr
There is no such problem in iOS client and rocket web
I was able to reproduce it.
Error:
03-20 08:43:56.892 19002 19471 E AndroidRuntime: FATAL EXCEPTION: OkHttp Dispatcher
03-20 08:43:56.892 19002 19471 E AndroidRuntime: Process: chat.rocket.android, PID: 19002
03-20 08:43:56.892 19002 19471 E AndroidRuntime: java.lang.RuntimeException: java.net.URISyntaxException: Illegal character in authority at index 8: https://google.com+`{}alph4`/
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.HttpUrl.uri(HttpUrl.java:386)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.connection.RouteSelector.resetNextProxy(RouteSelector.java:129)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.connection.RouteSelector.<init>(RouteSelector.java:63)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.connection.StreamAllocation.<init>(StreamAllocation.java:101)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:112)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:254)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.RealCall$AsyncCall.execute(RealCall.java:200)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.lang.Thread.run(Thread.java:919)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: Caused by: java.net.URISyntaxException: Illegal character in authority at index 8: https://google.com+`{}alph4`/
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.net.URI$Parser.fail(URI.java:2893)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.net.URI$Parser.parseAuthority(URI.java:3231)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.net.URI$Parser.parseHierarchical(URI.java:3142)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.net.URI$Parser.parse(URI.java:3098)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at java.net.URI.<init>(URI.java:584)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: at okhttp3.HttpUrl.uri(HttpUrl.java:379)
03-20 08:43:56.892 19002 19471 E AndroidRuntime: ... 12 more
atleast guys give contribution on releases too, so that we could get more eager to find more bugs ... not a seeker but anyway tho we hoomans
https://github.com/RocketChat/Rocket.Chat.ReactNative/releases/tag/4.6.0-beta.0
@gitnepal I guess you're right.
Done.
It's hard to track contributors outside commit authors.
Most helpful comment
@gitnepal I guess you're right.
Done.
It's hard to track contributors outside commit authors.