Galaxy Store Applications Installation/Launching without User Interaction

We discussed this vulnerability during Episode 163 on 31 October 2022

There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the window.GalaxyStore object to download or open any application from the store.

Getting the page displayed does not require any tricky but can be accessed through a deeplink like: samsungapps://MCSLaunch?action=each_event&url={{url}}. Pointing the URL at the vulnerable page.

This page when displayed inside the MCS Webview will craft a number of intent:// links that will reflect parameters from the current page into the generated URLs. This is done without any escaping leading to XSS.

For more fun, once XSS is achieved it is possible to access the window.GalaxyStore object which has two methods downloadApp and openApp which can be used to download and open applications.