If you found exposed broadcast receiver in android app. Reverse the app and investigate may give you access to private shared pref using object deserialization and may lead to account take over!

Android tip: wifi passwords are in /data/misc/wifi/wpa_supplicant.conf

#bugbounty Pro Tip - Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500! 😎👍— xer0dayz (@xer0dayz) June 24, 2018

Last updated