TL;DR
I discovered a one-click account takeover vulnerability in a popular
Indonesian Android app called
Tokopedia. The chain involves URI parsing issues and custom WebViews, but ultimately
it was only exploitable using a payload hosted on a web domain in
Google's HSTS preload list. This blog post explores the vulnerability in detail and serves as the
public reveal of my free HSTS+HTTPS Redirection service, a useful tool for exploiting URL-parsing vulnerabilities on
Android.
