Episode 28: Surfin' with CSRFs
Critical Thinking - Bug Bounty Podcast
00:00
How to Use TikTok to Scan QR Codes Within an App
It's not cross app, but it is cross domain within the app. You could just encode an arbitrary QR code pointing to a URL and it would open it within the app in the internal web viewwithin the app. The way that it routed is that it would try and use the internal URL schemas. But if you put just HTTP in there, then it'll open it in an internal web view. Yes, they're public. I guess for mine. It's more like the kind of thing that I talked about where it's it's basically the closest you can get to a C surf without it being a car.
Transcript
Play full episode
