friendlyjlee

Security Bug in PowerSchool Android Application

Oct 7th, 2019
995
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: PowerSchool Mobile - Logging Sensitive Information
  2. # Application: PowerSchool Mobile
  3. # Version: 1.1.8
  4. # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal
  5. # Company: PowerSchool Group LLC
  6. # Installs: 1,000,000+
  7. # Impact: Hackers can get username and password of the app by looking at the log
  8. # Category: Mobile Apps
  9. # Tested on: Android 8
  10.  
  11. ---Description---
  12. PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. We have reported this issue to the vendor, and they will fixed this problem soon.
  16.  
  17. ---PoC---
  18. 1. Try to login in PowerSchool, entering username and password.
  19.  
  20. 2. Search password in the log
  21. $ adb logcat | grep 'password'
  22.  
  23. 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope>
  24.  
  25.  
  26. ---Reporter---
  27. Jaeho Lee(Jaeho.Lee@rice.edu)
  28. Rice University
RAW Paste Data