SHOW:
|
|
- or go back to the newest paste.
| 1 | - | # Title: PowerSchool Mobile - Logging Sensitive Information |
| 1 | + | # Title: Infinite Design - Cleartext Transmission of username and password |
| 2 | - | # Application: PowerSchool Mobile |
| 2 | + | # Application: Infinite Design |
| 3 | - | # Version: 1.1.8 |
| 3 | + | # Version: 3.4.12 |
| 4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal |
| 4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree |
| 5 | - | # Company: PowerSchool Group LLC |
| 5 | + | # Company: Infinite Studio Mobile |
| 6 | - | # Installs: 1,000,000+ |
| 6 | + | # Installs: 5,000,000+ |
| 7 | - | # Impact: Hackers can get username and password of the app by looking at the log |
| 7 | + | # Impact: Anyone watching the network packet can obtain a username and password. |
| 8 | # Category: Mobile Apps | |
| 9 | - | # Tested on: Android 8 |
| 9 | + | # Tested on : Android 9 |
| 10 | ||
| 11 | ---Description--- | |
| 12 | - | PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
| 12 | + | Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi. |
| 13 | ||
| 14 | ---Vendor feedback--- | |
| 15 | - | We have reported this issue to the vendor, and they will fixed this problem soon. |
| 15 | + | After reporting, the vendor have quickly fixed this problem and released a new version. |
| 16 | ||
| 17 | ---PoC--- | |
| 18 | - | 1. Try to login in PowerSchool, entering username and password. |
| 18 | + | 1. Try to login with Infinite Design, Android app. |
| 19 | - Going to Settings | |
| 20 | - | 2. Search password in the log |
| 20 | + | - Enter credentials. Fake information is enough for reproducing. |
| 21 | - | $ adb logcat | grep 'password' |
| 21 | + | |
| 22 | - | |
| 22 | + | 2. Sniffing network packet with any capturing tool. |
| 23 | - | 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope> |
| 23 | + | - the captured HTTP POST message contains user email and password. |
| 24 | ||
| 25 | Hypertext Transfer Protocol | |
| 26 | POST /users/index.php HTTP/1.1\r\n | |
| 27 | Content-Type: application/x-www-form-urlencoded\r\n | |
| 28 | charset: utf-8\r\n | |
| 29 | Content-Length: 63\r\n | |
| 30 | User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n | |
| 31 | Host: www.seanbrakefield.com\r\n | |
| 32 | Connection: Keep-Alive\r\n | |
| 33 | Accept-Encoding: gzip\r\n | |
| 34 | \r\n | |
| 35 | [Full request URI: http://www.seanbrakefield.com/users/index.php] | |
| 36 | [HTTP request 1/1] | |
| 37 | [Response in frame: 662] | |
| 38 | File Data: 63 bytes | |
| 39 | HTML Form URL Encoded: application/x-www-form-urlencoded | |
| 40 | Form item: "tag" = "login" | |
| 41 | Form item: "email" = "jaeho.lee@rice.edu" | |
| 42 | Form item: "password" = "MyPasswordIsHere!" | |
| 43 | ||
| 44 | ||
| 45 | ---Reporter--- | |
| 46 | Jaeho Lee(Jaeho.Lee@rice.edu) | |
| 47 | Rice Computer Security Lab | |
| 48 | Rice University |
