View difference between Paste ID: 9VBiRpAR and 5ZDDCqgL
SHOW: | | - or go back to the newest paste.
1-
# Title: Dark Horse Comics - Logging Sensitive Information
1+
# Title: PowerSchool Mobile - Logging Sensitive Information
2-
# Application: Dark Horse Comics
2+
# Application: PowerSchool Mobile 
3-
# Version: 1.3.21
3+
# Version: 1.1.8
4-
# Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital
4+
# Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal
5-
# Company: Dark Horse Comics
5+
# Company: PowerSchool Group LLC
6
# Installs: 1,000,000+
7-
# Impact: hackers can get username and password of Dark Horse Comics, looking at the log.
7+
# Impact: Hackers can get username and password of the app by looking at the log
8
# Category: Mobile Apps
9-
# Tested on: Android 9
9+
# Tested on: Android 8
10
11
---Description---
12-
Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app.
12+
PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
13-
Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. 
13+
14
---Vendor feedback---
15
We have reported this issue to the vendor, and they will fixed this problem soon.
16
17-
After reporting, the vendor has quickly fixed this problem and released a new version.
17+
18
1. Try to login in PowerSchool, entering username and password.
19
20-
1. Try to log in Dark Horse Comics, Android app.
20+
2. Search password in the log
21-
  - Opening Login UI
21+
  $ adb logcat | grep 'password'
22-
  - Enter credentials. Fake information is enough for reproducing.
22+
  
23-
        
23+
11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope> 
24-
2. Search the token in the log
24+
25-
$ adb logcat | grep 'request with token'
25+
26
---Reporter---
27-
09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk
27+
Jaeho Lee(Jaeho.Lee@rice.edu)
28
Rice University

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×