friendlyjlee

Security Bug in PowerSchool Android Application

Oct 7th, 2019
1,633
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: PowerSchool Mobile - Logging Sensitive Information
  2. # Application: PowerSchool Mobile
  3. # Version: 1.1.8
  4. # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal
  5. # Company: PowerSchool Group LLC
  6. # Installs: 1,000,000+
  7. # Impact: Hackers can get username and password of the app by looking at the log
  8. # Category: Mobile Apps
  9. # Tested on: Android 8
  10.  
  11. ---Description---
  12. PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. We have reported this issue to the vendor, and they will fixed this problem soon.
  16.  
  17. ---PoC---
  18. 1. Try to login in PowerSchool, entering username and password.
  19.  
  20. 2. Search password in the log
  21. $ adb logcat | grep 'password'
  22.  
  23. 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope>
  24.  
  25.  
  26. ---Reporter---
  27. Jaeho Lee(Jaeho.Lee@rice.edu)
  28. Rice University
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×