Security Bug in PowerSchool Android Application
- # Title: PowerSchool Mobile - Logging Sensitive Information
- # Application: PowerSchool Mobile
- # Version: 1.1.8
- # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal
- # Company: PowerSchool Group LLC
- # Installs: 1,000,000+
- # Impact: Hackers can get username and password of the app by looking at the log
- # Category: Mobile Apps
- # Tested on: Android 8
- PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- We have reported this issue to the vendor, and they will fixed this problem soon.
- 1. Try to login in PowerSchool, entering username and password.
- 2. Search password in the log
- $ adb logcat | grep 'password'
- 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[email@example.com]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope>
- Jaeho Lee(Jaeho.Lee@rice.edu)
- Rice University