SHOW:
|
|
- or go back to the newest paste.
1 | - | # Title: Dark Horse Comics - Logging Sensitive Information |
1 | + | # Title: PowerSchool Mobile - Logging Sensitive Information |
2 | - | # Application: Dark Horse Comics |
2 | + | # Application: PowerSchool Mobile |
3 | - | # Version: 1.3.21 |
3 | + | # Version: 1.1.8 |
4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital |
4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal |
5 | - | # Company: Dark Horse Comics |
5 | + | # Company: PowerSchool Group LLC |
6 | # Installs: 1,000,000+ | |
7 | - | # Impact: hackers can get username and password of Dark Horse Comics, looking at the log. |
7 | + | # Impact: Hackers can get username and password of the app by looking at the log |
8 | # Category: Mobile Apps | |
9 | - | # Tested on: Android 9 |
9 | + | # Tested on: Android 8 |
10 | ||
11 | ---Description--- | |
12 | - | Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app. |
12 | + | PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
13 | - | Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
13 | + | |
14 | ---Vendor feedback--- | |
15 | We have reported this issue to the vendor, and they will fixed this problem soon. | |
16 | ||
17 | - | After reporting, the vendor has quickly fixed this problem and released a new version. |
17 | + | |
18 | 1. Try to login in PowerSchool, entering username and password. | |
19 | ||
20 | - | 1. Try to log in Dark Horse Comics, Android app. |
20 | + | 2. Search password in the log |
21 | - | - Opening Login UI |
21 | + | $ adb logcat | grep 'password' |
22 | - | - Enter credentials. Fake information is enough for reproducing. |
22 | + | |
23 | - | |
23 | + | 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope> |
24 | - | 2. Search the token in the log |
24 | + | |
25 | - | $ adb logcat | grep 'request with token' |
25 | + | |
26 | ---Reporter--- | |
27 | - | 09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk |
27 | + | Jaeho Lee(Jaeho.Lee@rice.edu) |
28 | Rice University |