Author: Aditya Sunny | Follow on LinkedIn: @adityasunny06

Program: Linktree Bug Bounty (Bugcrowd) | Status: Accepted & Rewarded ✅ | Reward: $$$$ 💸

What if a single XML file buried inside a popular app contained the keys to compromise millions of users? That’s exactly what I found inside Linktree’s Android application — a strings.xml file packed with hardcoded production secrets that exposed their entire mobile infrastructure. From CI/CD pipeline takeover to OTA supply chain attacks — one file, total compromise. Let’s break it down.

🔍 What Happened?

During a security audit of the Linktree Android application, I decompiled the APK and examined the res/values/strings.xml file. What I found was alarming — dozens of hardcoded production secrets spanning nearly every critical service Linktree uses:

🔑 Codemagic CI/CD API Key — Full access to Linktree's internal build pipeline (Project: "Cerberus")

🚀 CodePush Production Deployment Keys — Ability to push malicious OTA updates directly to users, bypassing App Store/Play Store review

🔐 Auth0 Credentials — AUTH0_CLIENT_ID and AUTH0_DOMAIN exposing the identity/authentication layer

🔓 Encryption Passphrase — CRYPTO_PASSPHRASE hardcoded in plain text

📁 Filestack API Key + Signature — Read/write access to cloud storage with a signature valid until the year 2100!

💬 Intercom API Keys — Access to customer support infrastructure

📊 Analytics Keys — Full keys for Amplitude, Datadog, Statsig, and Stream

🐛 Shake Client Credentials — Bug reporting system access

🌐 Internal API Endpoints — ACCOUNT_ENDPOINT, GRAPHQL_ENDPOINT, MESH_URI

This wasn't just one leaked key — this was Linktree's entire mobile infrastructure served on a silver platter.

🛠 Exploitation Steps

Step 1: Decompiled the Linktree Android APK and located res/values/strings.xml containing hardcoded production secrets.

Step 2: Extracted the Codemagic CI/CD API Key and authenticated against the Codemagic REST API:

curl -H "x-auth-token: [CODEMAGIC_API_TOKEN]" https://api.codemagic.io/apps

Step 3: The API response revealed full project access including:

• Project Name: Cerberus
• • GitHub Repository: blistco/cerberus (private repo path leaked!)
• • User Rights: ["delete"] — administrative privileges confirmed
• • Internal Developer Emails exposed
• • Build Environment: mac_mini_m2 instances with direct App Store/Play Store publishing hooks

Step 4: Identified CodePush Production Deployment Keys for both Android and iOS:

<string name="CODEPUSH_ANDROID_PRODUCTION_DEPLOYMENT_KEY">4X19vITGaTpg80SD83k-2D59n0IZ89VHaYmoa...</string>
<string name="CODEPUSH_IOS_PRODUCTION_DEPLOYMENT_KEY">US7I0gpLR4rkwrC0YvT0ISaKVazh61...</string>

These keys allow an attacker to bypass App Store/Play Store reviews entirely and push malicious OTA (Over-the-Air) updates directly to every Linktree user's device. 💀

Step 5: Extracted Auth0 authentication credentials, internal API endpoints, and the encryption passphrase — providing a complete attack surface map of Linktree's backend.

Step 6: Verified Filestack persistent access — the hardcoded signature expires in 2100, granting a near-permanent window to read, upload, or overwrite files in Linktree's cloud storage buckets.

🔓 The Kill Chain — How It Escalates

Decompile APK → Extract strings.xml → Codemagic API Key → CI/CD Pipeline Access → Build Logs → MORE Secrets (AWS, Firebase, Keystore) → CodePush Keys → Push Malicious OTA Updates → MILLIONS OF USERS COMPROMISED 💀

Why This Is Catastrophic:

1. Supply Chain Attack via CodePush — An attacker could push a malicious update to every Linktree user without going through app store review. Silent. Instant. Devastating.

2. CI/CD Pipeline Takeover — The Codemagic key provides access to the "Cerberus" project with mac_mini_m2 build instances that have direct publishing hooks to App Store and Play Store.

3. Identity & Encryption Compromise — Auth0 credentials + hardcoded CRYPTO_PASSPHRASE ("Problem Perhaps Guest Old Fire Flavor") means the authentication and encryption layers are both exposed.

4. 84-Year Persistent Access — The Filestack signature doesn't expire until 2100. That's not a vulnerability — that's a permanent backdoor.

5. Complete Infrastructure Mapping — Internal API endpoints (ACCOUNT_ENDPOINT, GRAPHQL_ENDPOINT, MESH_URI) give attackers a full blueprint of Linktree's backend architecture.

🥊 The Triage Battle — From "Not Applicable" to Accepted

Here's where it gets interesting. After submitting this report through Bugcrowd, the initial response was:

"After an initial review of your report, we were unable to identify an immediate security impact. As such, this has been marked as Not Applicable."

Not Applicable? For hardcoded production secrets exposing an entire mobile infrastructure? 😤

I wasn't going to let this slide. I submitted a detailed Request for Response with demonstrable proof of administrative API access with delete rights, evidence of supply chain attack vectors via CodePush deployment keys, complete enumeration of every exposed service, and a technical argument showing how combined impact constitutes a P1/Critical vulnerability.

The response? Bug accepted. Bounty awarded. 💰

Lesson for every bug bounty hunter: Never accept "Not Applicable" without fighting back. If your bug is real, prove it with impact.

📷 Proof of Concept

Step 1: Codemagic API Access Verification — Successfully authenticated using the leaked API key and retrieved internal project metadata, build configurations, and developer information.

Step 2: Administrative Rights Confirmed — The JSON response explicitly leaked Project Name (Cerberus), GitHub URL (blistco/cerberus), Rights (["delete"]), Internal Emails, and Build Infra (mac_mini_m2 with App Store/Play Store hooks).

Step 3: The strings.xml Treasure Trove — A single file containing keys for Codemagic, CodePush (Android + iOS), Auth0, Filestack, Intercom, Shake, Amplitude, Datadog, Statsig, Stream, and internal API endpoints.

🛡 Patch & Prevention

Root Cause: Mass hardcoding of production secrets in res/values/strings.xml — a file trivially accessible to anyone who decompiles the APK.

Recommended Fixes:

1. Immediate Key Rotation — Revoke and rotate ALL exposed credentials (Codemagic, CodePush, Auth0, Filestack, Intercom, etc.)
2. 2. Remove Hardcoded Secrets — Use the Android Keystore System or fetch keys dynamically from a secure backend
3. 3. Secret Masking in CI/CD — Ensure build logs never print sensitive environment variables
4. 4. Short-Lived Signatures — Replace the 84-year Filestack signature with short-lived, backend-generated tokens
5. 5. Code Obfuscation — Implement ProGuard/R8 rules and consider runtime secret injection

⚡ Key Takeaways

🔑 One XML file can expose an entire company's infrastructure. strings.xml is the first place attackers look — if your secrets are there, you're already compromised.

🚀 CodePush keys are nuclear weapons in the wrong hands. They bypass app store reviews entirely — one leaked key means silent malicious updates to millions of users.

🥊 Never accept "Not Applicable" without a fight. My report was initially rejected. I pushed back with evidence and impact analysis. Result? Bug accepted and bounty awarded. Always advocate for your findings.

If you enjoyed this write-up, follow me on Medium and LinkedIn for more bug bounty stories, security research, and vulnerability deep-dives.

The next big bounty is hiding in plain sight — go find it. 🎯