1. Reporting information

Team name : Team Brrester

2. Overview of Vulnerabilities

3. Details

<activity
            android:theme="@style/ContainerTheme"
            android:name="com.android.bc.account.smart.AlexaToSmartHomeActivity"
            android:exported="true"
            android:launchMode="singleTask"
            android:screenOrientation="portrait">
            <intent-filter android:autoVerify="true">
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="https"/>
                <data android:host="apis.reolink.dev"/>
                <data android:host="cloud.reolink.review"/>
                <data android:host="cloud.reolink.com"/>
                <data android:pathPrefix="/ulink/smarthome/alexa/"/>
            </intent-filter>
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <data android:scheme="reolinksmarthome"/>
                <data android:host="apis.reolink.dev"/>
                <data android:host="cloud.reolink.review"/>
                <data android:host="cloud.reolink.com"/>
                <data android:pathPrefix="/ulink/smarthome/alexa/"/>
            </intent-filter>
        </activity>

If you check it in AndroidManifest, Alexa ToSmart Home Activity has all the exported=true properties, deep links, and app links.

If you look more closely at Alexa ToSmart Home Activity's Uriparse section

String valueOf = String.valueOf(intent != null ? intent.getData() : null);
        BCLog.d(TAG, "url " + valueOf);
        this.code = Uri.parse(valueOf).getQueryParameter(TombstoneParser.keyCode);
        this.state = Uri.parse(valueOf).getQueryParameter("state");
        this.clientId = Uri.parse(valueOf).getQueryParameter("client_id");
        this.redirectUri = Uri.parse(valueOf).getQueryParameter("redirect_uri");
        this.scope = Uri.parse(valueOf).getQueryParameter(PermissionsResponse.SCOPE_KEY);

You can see that you are receiving the factor redirect_uri as the getQueryParameter.

If you look at the init function part of this activity

if (!AccountManager.getInstance().isLogin()) {
            startActivity(new Intent(this, (Class<?>) LoginActivity.class));
            return;
        }
        if (!AccountManager.getInstance().getIsHasAccountData()) {
            BCLog.e(TAG, "no account data, refresh account");
            BCToast.showToast(this, R.string.common_failed_to_get_info);
            AccountManager.getInstance().refreshAccount(new AccountManager.RefreshAccountDelegate() { // from class: com.android.bc.account.smart.AlexaToSmartHomeActivity$initView$4
                @Override // com.android.bc.account.AccountManager.RefreshAccountDelegate
                public void onFail() {
                }

                @Override // com.android.bc.account.AccountManager.RefreshAccountDelegate
                public void onSuccess() {
                    if (AccountManager.getInstance().isEmailVerified()) {
                        return;
                    }
                    BCLog.e(AlexaToSmartHomeActivity.TAG, "not verify email");
                    String name = VerifyEmailFragment.class.getName();
                    Intrinsics.checkNotNullExpressionValue(name, "getName(...)");
                    RouterLaunch.gotoBlank(name);
                }
            });
        } else {
            if (AccountManager.getInstance().isEmailVerified()) {
                return;
            }
            BCLog.e(TAG, "not verify email");
            String name = VerifyEmailFragment.class.getName();
            Intrinsics.checkNotNullExpressionValue(name, "getName(...)");
            RouterLaunch.gotoBlank(name);
        }

Make sure you're logged in and checked your email, and if you are

image.png