# Title: Rapid Gator - Logging Sensitive Information
# Application: Rapid Gator
# Version: 0.7.1
# Software Link: https://play.google.com/store/apps/details?id=net.rapidgator
# Company: Rapid Gator
# Installs: 100,000+
# Impact: hackers can get the username and password of Rapid Gator, looking at the log.
# Category: Mobile Apps
# Tested on: Android 9
Rapid Gator, the popular file-sharing app installed more than 0.1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
After reporting, the vendor has fixed this problem quickly and released a new version.
1. Try to log in Rapid Gator, Android app.
- Opening Login UI
- Enter credentials. Fake information is enough for reproducing.
2. Search the password in the log
$ adb logcat | grep 'password'
09-17 00:12:16.296 15619 15746 D OkHttp : --> GET http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere!
09-17 00:12:16.773 15619 15746 D OkHttp : <-- 200 OK http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere! (477ms)
Jaeho Lee (Jaeho.Lee@rice.edu)
Rice Computer Security Lab