SHOW:
|
|
- or go back to the newest paste.
| 1 | - | # Title: Dark Horse Comics - Logging Sensitive Information |
| 1 | + | # Title: PowerSchool Mobile - Logging Sensitive Information |
| 2 | - | # Application: Dark Horse Comics |
| 2 | + | # Application: PowerSchool Mobile |
| 3 | - | # Version: 1.3.21 |
| 3 | + | # Version: 1.1.8 |
| 4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital |
| 4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal |
| 5 | - | # Company: Dark Horse Comics |
| 5 | + | # Company: PowerSchool Group LLC |
| 6 | # Installs: 1,000,000+ | |
| 7 | - | # Impact: hackers can get username and password of Dark Horse Comics, looking at the log. |
| 7 | + | # Impact: Hackers can get username and password of the app by looking at the log |
| 8 | # Category: Mobile Apps | |
| 9 | - | # Tested on: Android 9 |
| 9 | + | # Tested on: Android 8 |
| 10 | ||
| 11 | ---Description--- | |
| 12 | - | Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app. |
| 12 | + | PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
| 13 | - | Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
| 13 | + | |
| 14 | ---Vendor feedback--- | |
| 15 | We have reported this issue to the vendor, and they will fixed this problem soon. | |
| 16 | ||
| 17 | - | After reporting, the vendor has quickly fixed this problem and released a new version. |
| 17 | + | |
| 18 | 1. Try to login in PowerSchool, entering username and password. | |
| 19 | ||
| 20 | - | 1. Try to log in Dark Horse Comics, Android app. |
| 20 | + | 2. Search password in the log |
| 21 | - | - Opening Login UI |
| 21 | + | $ adb logcat | grep 'password' |
| 22 | - | - Enter credentials. Fake information is enough for reproducing. |
| 22 | + | |
| 23 | - | |
| 23 | + | 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope> |
| 24 | - | 2. Search the token in the log |
| 24 | + | |
| 25 | - | $ adb logcat | grep 'request with token' |
| 25 | + | |
| 26 | ---Reporter--- | |
| 27 | - | 09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk |
| 27 | + | Jaeho Lee(Jaeho.Lee@rice.edu) |
| 28 | Rice University |
