CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability.

CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability.

If you have an app that sends push notifications, it’s pretty important that you check your app’s code for potential security issues. Unfortunately, these issues are fairly common. One of the most common of these issues is a lack of validation. In other words, you might have coded your app in a way that allows attackers to craft requests that your app will respond to. Now, if an attacker were to send a request that your app were to respond to, that could lead to a variety of different issues.

Bad Request

A lack of validation is a common security flaw, but it’s not the only way that your app might be vulnerable. Take this example:

Click on the browser and type “” into address bar
This is a bad request because it doesn’t have the proper HTTP header values. This could lead to an array of issues depending on what your app does with a request like this. For example, if you had implemented some sort of authentication for your website, you would need to check for the correct authentication header. If these aren’t present, then the request would fail and would prevent any malicious activity from taking place.
Another issue related to bad requests is when attackers are able to send you certain requests that your app will respond to using an invalid URL scheme. If one of these URLs were sent in lieu of a legitimate URL, they may be able to access your API or pull data from your database without every invoking a particular function on your website or app.  So, in other words, if someone were able to modify their location within an app by entering two-letter state codes (like NJ), you may be vulnerable and unable to detect that person's location or monitor their movements in real time during the attack.

Core network vulnerability

One of the biggest risks that could arise from a lack of validation is a core network vulnerability. This means that an attacker might be able to control the entire app or its entire data. In fact, in 2016, Uber was hacked and over 57 million accounts were compromised.

What is a lack of validation?

A lack of validation is when an app accepts requests without first validating that the request came from the app. For example, if you were to see a user’s name and birthday, you could send them a message letting them know you sent them a message, which could be traced back to your IP address. An attacker could send this request to your app with their own IP address in order to make it seem like they are sending you a message, but really they are sending it to themselves. If the app responds to this request with the user’s name and birthday, then your app is vulnerable to this type of attack.

What is validation?

Validating your app’s API is the process of ensuring that all requests are coming from the correct source and are not being tampered with.
For example, say you have an app that sends push notifications to users. When the user installs the app, they will send a request to your server along with their email address. Your server will then check that email address against an email list stored in your database to ensure that only valid users are receiving push notifications. This process is known as validation.
Validating your app’s API at this stage prevents attackers from crafting requests and sending them to your app without having your permission. It's also important for you to do this to prevent issues down the line when you're integrating third-party services into your codebase and may not know what they're doing with their own APIs.

Not all requests are created equal

The most common security issue with push notifications is a lack of validation. When developers don’t validate incoming requests, they can allow attackers to craft malicious messages that your app will respond to. These kinds of requests could lead to a variety of different problems including remote code execution, information disclosure, and potential denial-of-service (DoS) attacks.
Not all requests are created equal. For example, when you send a message that says “Hi there! How are you?” just about anyone can read it. However, if you were to send out an update saying “There has been an attack on our network” or “We are experiencing heavy traffic in the area due to road construction” then only those who were intended to receive that message would see it.
You need validation in order for your app not to be vulnerable in these situations. When implementing validation into your app, make sure you use the appropriate level of validation for each specific scenario and consider using custom headers as well as content-based checks.


Subscribe to
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.