SHOW:
|
|
- or go back to the newest paste.
1 | - | # Title: PowerSchool Mobile - Logging Sensitive Information |
1 | + | # Title: Infinite Design - Cleartext Transmission of username and password |
2 | - | # Application: PowerSchool Mobile |
2 | + | # Application: Infinite Design |
3 | - | # Version: 1.1.8 |
3 | + | # Version: 3.4.12 |
4 | - | # Software Link: https://play.google.com/store/apps/details?id=com.powerschool.portal |
4 | + | # Software Link: https://play.google.com/store/apps/details?id=com.brakefield.idfree |
5 | - | # Company: PowerSchool Group LLC |
5 | + | # Company: Infinite Studio Mobile |
6 | - | # Installs: 1,000,000+ |
6 | + | # Installs: 5,000,000+ |
7 | - | # Impact: Hackers can get username and password of the app by looking at the log |
7 | + | # Impact: Anyone watching the network packet can obtain a username and password. |
8 | # Category: Mobile Apps | |
9 | - | # Tested on: Android 8 |
9 | + | # Tested on : Android 9 |
10 | ||
11 | ---Description--- | |
12 | - | PoweverSchool Mobile, the popular education app installed more than 1 million, logs username and password in Logcat during login step. So, hackers can obtain user password/ID of PowerSchool Mobile, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission. |
12 | + | Infinite Design, the popular Art app downloaded more than 5 millions, sends username and password via TCP without any encryption during login. So, anyone watching the network packet can obtain a username and password. It is critical, especially in mobile phones, because mobile phones are usually used in an insecure environment such as public WiFi. |
13 | ||
14 | ---Vendor feedback--- | |
15 | - | We have reported this issue to the vendor, and they will fixed this problem soon. |
15 | + | After reporting, the vendor have quickly fixed this problem and released a new version. |
16 | ||
17 | ---PoC--- | |
18 | - | 1. Try to login in PowerSchool, entering username and password. |
18 | + | 1. Try to login with Infinite Design, Android app. |
19 | - Going to Settings | |
20 | - | 2. Search password in the log |
20 | + | - Enter credentials. Fake information is enough for reproducing. |
21 | - | $ adb logcat | grep 'password' |
21 | + | |
22 | - | |
22 | + | 2. Sniffing network packet with any capturing tool. |
23 | - | 11857 12122 D SoapCall: loginToPublicPortal request xml <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www...<username><![CDATA[jaeho.lee@rice.edu]]></username><password><![CDATA[myPasswordHere]]></password.</loginToPublicPortal></soap:Body></soap:Envelope> |
23 | + | - the captured HTTP POST message contains user email and password. |
24 | ||
25 | Hypertext Transfer Protocol | |
26 | POST /users/index.php HTTP/1.1\r\n | |
27 | Content-Type: application/x-www-form-urlencoded\r\n | |
28 | charset: utf-8\r\n | |
29 | Content-Length: 63\r\n | |
30 | User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; ...)\r\n | |
31 | Host: www.seanbrakefield.com\r\n | |
32 | Connection: Keep-Alive\r\n | |
33 | Accept-Encoding: gzip\r\n | |
34 | \r\n | |
35 | [Full request URI: http://www.seanbrakefield.com/users/index.php] | |
36 | [HTTP request 1/1] | |
37 | [Response in frame: 662] | |
38 | File Data: 63 bytes | |
39 | HTML Form URL Encoded: application/x-www-form-urlencoded | |
40 | Form item: "tag" = "login" | |
41 | Form item: "email" = "jaeho.lee@rice.edu" | |
42 | Form item: "password" = "MyPasswordIsHere!" | |
43 | ||
44 | ||
45 | ---Reporter--- | |
46 | Jaeho Lee(Jaeho.Lee@rice.edu) | |
47 | Rice Computer Security Lab | |
48 | Rice University |