View difference between Paste ID: h8v0qxZH and 8dvs5RcJ
SHOW: | | - or go back to the newest paste.
1-
# Title: Rapid Gator - Logging Sensitive Information
1+
# Title: Seesaw Parent & Family app - Logging Sensitive Information
2-
# Application: Rapid Gator
2+
# Application: Seesaw Parent & Family
3-
# Version: 0.7.1
3+
# Version: 6.2.5
4-
# Software Link: https://play.google.com/store/apps/details?id=net.rapidgator
4+
# Software Link: https://play.google.com/store/apps/details?id=seesaw.shadowpuppet.co.seesaw
5-
# Company: Rapid Gator
5+
# Company: Seesaw
6-
# Installs: 100,000+
6+
# Installs:1,000,000+
7-
# Impact: hackers can get the username and password of Rapid Gator, looking at the log.
7+
# Impact: hackers can get username and password of Seesaw Family, looking at the log.
8
# Category: Mobile Apps
9-
# Tested on: Android 9
9+
# Tested on : Android 9
10
11
---Description---
12
Seesaw Family, the popular education app installed more than 1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. 
13-
Rapid Gator, the popular file-sharing app installed more than 0.1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. 
13+
14
---Vendor feedback---
15
After reporting, they have fixed this problem quickly and released a new version.
16-
After reporting, the vendor has fixed this problem quickly and released a new version.
16+
17
---PoC---
18
1. Try to log in the Android app.
19-
1. Try to log in Rapid Gator, Android app.
19+
20
  - Enter credentials. Fake information is enough for reproducing.
21
22
        
23
2. Search the password in the log
24
$ adb logcat | grep 'password'
25
26-
09-17 00:12:16.296 15619 15746 D OkHttp  : --> GET http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere!
26+
D Retrofit: ---> HTTP POST https://app.seesaw.me/api/auth/login?classes=1&email=jaeho.lee%40rice.edu&password=MyPasswordIsHere&role=parent&_bundle=me.see-saw.android_parent&_build=1584703&_model=GOOGLE+Android+SDK+built+for+x86&_install_id=732b4c9e-dbf0-4ecb-ad31-188bf4e51901&_tz_offset=0
27-
09-17 00:12:16.773 15619 15746 D OkHttp  : <-- 200 OK http://rapidgator.net/api/v2/user/login?login=jaeho.lee%40rice.edu&password=MyPasswordIsHere! (477ms)
27+
28
29
--Reporter---
30
Jaeho Lee (Jaeho.Lee@rice.edu)
31
Rice Computer Security Lab
32
Rice University