I found a 1-click exploit in South Korea's biggest mobile chat app

Source: I live in SK

For some context, you can't live in South Korea and not use Kakao, even your grandma has it.

So the fact that they have so many holes in their security is a cause for concern.

You grandma isn't going to know a fishy link when she sees one, especially with this exploit where domain looks legitimate.

A contributing factor is the hierarchical work culture in Korea. You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.

This all amounts to an app full of security holes, and until Kakao stock drops because of it, they're not going to address it.

Fun fact: western ride sharing apps don't work in South Korea, and this company also makes the leading rideshare app in the country.

I was forced to make an account on the mobile chat app in order to log into their rideshare app, on a recent trip to Seoul. The UX was not great... not to mention that it was mostly in Korean. I had a lot of trouble. They didn't strike me as the most professional operation..

A small correction: KakaoTalk is not an "all in one" app like WeChat. The main chat app does contain anciliary features such as gifting that enabled this exploit, but you can't call a taxi on KakaoTalk, you do that on Kakao T, a mobility app that also offers rental scooters, e-bikes, and train and flight booking. Similarly, even though the messenger app does have integration with its payment platform (cleverly named KakaoPay), the service itself lives in a dedicated app. It's like Google on Android where you could access bunch of services with one central ID, which I presume is why their apps have so many access points: they need it for themselves.

LOL Only Koreans are eligible for reward. They deserve to be destroyed by hackers at this point.

Reminds me how the telegram founder boasted how talented his team is as only one developer was responsible for writing the mobile client. Turns out that client was riddled with bugs that displayed messages to the wrong user. A mobile chat app shouldn't be developed with the mantra "move fast and break things" yet this is the natural product result of all-in-one apps like kakao.

> We reported this vulnerability in December 2023 via Kakao’s Bug Bounty Program. However, we didn’t receive any reward as only Koreans are eligible to receive a bounty

Holy crap !

We should step back and re-think the approach we have in software engineering nowadays...

Is it for long-term game or short term gain for a small group of people

I wonder how many U.S. service persons stationed in South Korea could have been affected by this? Do we know if it was exploited in the wild?

They STILL don't have a web version after more than a decade of service but I guess that is a good thing in light of this news

> However, we didn’t receive any reward as only Koreans are eligible to receive a bounty

Talk about discouragement for research. KakaoTalk is huge -- the equivalent of WhatsApp for EU people or LINE in Japan. Many foreigners learning Korean use KakaoTalk to chat, so this definitely affects people outside of the country. Restricting payment to just Koreans is objectively a terrible decision, as it endangers their users for no discernible reason.

Crazy that only Koreans are eligible for bounty rewards. Someone is going to put their morals aside in the future and their customers are going to be the victims. Also I’m pretty sure a large part of government officials in Korea use KakaoTalk?

But hey at least they actually took action…

"We also release our tooling so that fellow security researchers can dig into KakaoTalk’s broad attack surface to find more bugs." I think this would be illegal in Germany.