Initial PoC of spoofing Android OAuth

2023-06-05 20:31:25 -04:00 · 2023-06-05 20:31:25 -04:00 · 383d2789ce
commit 383d2789ce
parent ba89b76332
5 changed files with 94 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -482,6 +482,17 @@ dependencies = [
 "version_check",
 ]
 [[package]]
 name = "getrandom"
 version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4"
 dependencies = [
 "cfg-if",
 "libc",
 "wasi",
 ]
 [[package]]
 name = "globset"
 version = "0.4.10"
@ -712,6 +723,7 @@ name = "libreddit"
 version = "0.30.1"
 dependencies = [
 "askama",
 "base64",
 "brotli",
 "build_html",
 "cached",
@ -735,6 +747,7 @@ dependencies = [
 "tokio",
 "toml",
 "url",
 "uuid",
 ]
 [[package]]
@ -1590,6 +1603,15 @@ dependencies = [
 "percent-encoding",
 ]
 [[package]]
 name = "uuid"
 version = "1.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "345444e32442451b267fc254ae85a209c64be56d2890e601a0c37ff0c3c5ecd2"
 dependencies = [
 "getrandom",
 ]
 [[package]]
 name = "version_check"
 version = "0.9.4"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -30,6 +30,8 @@ toml = "0.7.4"
 once_cell = "1.17.0"
 serde_yaml = "0.9.16"
 build_html = "2.2.0"
 uuid = { version = "1.3.3", features = ["v4"] }
 base64 = "0.21.2"
 [dev-dependencies]
 lipsum = "0.9.0"
--- a/src/client.rs
+++ b/src/client.rs
@ -7,18 +7,22 @@ use libflate::gzip;
 use once_cell::sync::Lazy;
 use percent_encoding::{percent_encode, CONTROLS};
 use serde_json::Value;
 use std::sync::RwLock;
 use std::{io, result::Result};
 use crate::dbg_msg;
 use crate::oauth::{Oauth, USER_AGENT};
 use crate::server::RequestExt;
-const REDDIT_URL_BASE: &str = "https://www.reddit.com";
+const REDDIT_URL_BASE: &str = "https://oauth.reddit.com";
-static CLIENT: Lazy<Client<HttpsConnector<HttpConnector>>> = Lazy::new(|| {
+pub(crate) static CLIENT: Lazy<Client<HttpsConnector<HttpConnector>>> = Lazy::new(|| {
 	let https = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots().https_only().enable_http1().build();
 	client::Client::builder().build(https)
 });
 pub(crate) static OAUTH_CLIENT: Lazy<RwLock<Oauth>> = Lazy::new(|| RwLock::new(Oauth::new()));
 /// Gets the canonical path for a resource on Reddit. This is accomplished by
 /// making a `HEAD` request to Reddit at the path given in `path`.
 ///
@ -136,9 +140,9 @@ fn request(method: &'static Method, path: String, redirect: bool, quarantine: bo
 	let builder = Request::builder()
 		.method(method)
 		.uri(&url)
-		.header("User-Agent", format!("web:libreddit:{}", env!("CARGO_PKG_VERSION")))
+		.header("User-Agent", USER_AGENT)
-		.header("Host", "www.reddit.com")
+		.header("Host", "oauth.reddit.com")
-		.header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
+		.header("Authorization", &format!("Bearer {}", OAUTH_CLIENT.read().unwrap().token))
 		.header("Accept-Encoding", if method == Method::GET { "gzip" } else { "identity" })
 		.header("Accept-Language", "en-US,en;q=0.5")
 		.header("Connection", "keep-alive")
--- a/src/main.rs
+++ b/src/main.rs
@ -6,6 +6,7 @@
 mod config;
 mod duplicates;
 mod instance_info;
 mod oauth;
 mod post;
 mod search;
 mod settings;
@ -25,6 +26,8 @@ use once_cell::sync::Lazy;
 use server::RequestExt;
 use utils::{error, redirect, ThemeAssets};
 use crate::client::OAUTH_CLIENT;
 mod server;
 // Create Services
@ -167,6 +170,11 @@ async fn main() {
 	Lazy::force(&config::CONFIG);
 	Lazy::force(&instance_info::INSTANCE_INFO);
 	// Force login of Oauth client
 	#[allow(clippy::await_holding_lock)] 
 	// We don't care if we are awaiting a lock here - it's just locked once at init.
 	OAUTH_CLIENT.write().unwrap().login().await;
 	// Define default headers (added to all responses)
 	app.default_headers = headers! {
 		"Referrer-Policy" => "no-referrer",
--- a/src/oauth.rs
+++ b/src/oauth.rs
@ -0,0 +1,53 @@
 use std::collections::HashMap;
 use crate::client::CLIENT;
 use base64::{engine::general_purpose, Engine as _};
 use hyper::{client, Body, Method, Request};
 use serde_json::json;
 static REDDIT_ANDROID_OAUTH_CLIENT_ID: &str = "ohXpoqrZYub1kg";
 static AUTH_ENDPOINT: &str = "https://accounts.reddit.com";
 pub(crate) static USER_AGENT: &str = "Reddit/Version 2023.21.0/Build 956283/Android 13";
 pub(crate) struct Oauth {
 	// Currently unused, may be necessary if we decide to support GQL in the future
 	pub(crate) headers_map: HashMap<String, String>,
 	pub(crate) token: String,
 }
 impl Oauth {
 	pub fn new() -> Self {
 		let uuid = uuid::Uuid::new_v4().to_string();
 		Oauth {
 			headers_map: HashMap::from([
 				("Client-Vendor-Id".into(), uuid.clone()),
 				("X-Reddit-Device-Id".into(), uuid),
 				("User-Agent".into(), USER_AGENT.to_string()),
 			]),
 			token: String::new(),
 		}
 	}
 	pub async fn login(&mut self) -> Option<()> {
 		let url = format!("{}/api/access_token", AUTH_ENDPOINT);
 		let mut builder = Request::builder().method(Method::POST).uri(&url);
 		for (key, value) in self.headers_map.iter() {
 			builder = builder.header(key, value);
 		}
 		let auth = general_purpose::STANDARD.encode(format!("{REDDIT_ANDROID_OAUTH_CLIENT_ID}:"));
 		builder = builder.header("Authorization", format!("Basic {auth}"));
 		let json = json!({
 				"scopes": ["*","email","pii"]
 		});
 		let body = Body::from(json.to_string());
 		let request = builder.body(body).unwrap();
 		let client: client::Client<_, hyper::Body> = CLIENT.clone();
 		let resp = client.request(request).await.ok()?;
 		let body_bytes = hyper::body::to_bytes(resp.into_body()).await.ok()?;
 		let json: serde_json::Value = serde_json::from_slice(&body_bytes).ok()?;
 		self.token = json.get("access_token")?.as_str()?.to_string();
 		self.headers_map.insert("Authorization".to_owned(), format!("Bearer {}", self.token));
 		Some(())
 	}
 }