SHARE
TWEET

Security Vulnerability in Rapid Gator Android App

friendlyjlee Oct 7th, 2019 (edited) 172 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: Rapid Gator - Logging Sensitive Information
  2. # Application: Rapid Gator
  3. # Version: 0.7.1
  4. # Software Link: https://play.google.com/store/apps/details?id=net.rapidgator
  5. # Company: Rapid Gator
  6. # Installs: 100,000+
  7. # Impact: hackers can get the username and password of Rapid Gator, looking at the log.
  8. # Category: Mobile Apps
  9. # Tested on: Android 9
  10.  
  11.  
  12. ---Description---
  13. Rapid Gator, the popular file-sharing app installed more than 0.1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  14.  
  15. ---Vendor feedback---
  16. After reporting, the vendor has fixed this problem quickly and released a new version.
  17.  
  18. ---PoC---
  19. 1. Try to log in Rapid Gator, Android app.
  20.   - Opening Login UI
  21.   - Enter credentials. Fake information is enough for reproducing.
  22.        
  23. 2. Search the password in the log
  24. $ adb logcat | grep 'password'
  25.  
  26. 09-17 00:12:16.296 15619 15746 D OkHttp  : --> GET http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere!
  27. 09-17 00:12:16.773 15619 15746 D OkHttp  : <-- 200 OK http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere! (477ms)
  28.  
  29. --Reporter---
  30. Jaeho Lee (Jaeho.Lee@rice.edu)
  31. Rice Computer Security Lab
  32. Rice University
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top