Security Vulnerability in Seesaw Parent & Family app
friendlyjlee Oct 7th, 2019 (edited) 320 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- # Title: Seesaw Parent & Family app - Logging Sensitive Information
- # Application: Seesaw Parent & Family
- # Version: 6.2.5
- # Software Link: https://play.google.com/store/apps/details?id=seesaw.shadowpuppet.co.seesaw
- # Company: Seesaw
- # Installs:1,000,000+
- # Impact: hackers can get username and password of Seesaw Family, looking at the log.
- # Category: Mobile Apps
- # Tested on : Android 9
- Seesaw Family, the popular education app installed more than 1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- After reporting, they have fixed this problem quickly and released a new version.
- 1. Try to log in the Android app.
- - Opening Login UI
- - Enter credentials. Fake information is enough for reproducing.
- 2. Search the password in the log
- $ adb logcat | grep 'password'
- D Retrofit: ---> HTTP POST https://app.seesaw.me/api/auth/login?classes=1&email=jaeho.lee%40rice.edu&password=MyPasswordIsHere&role=parent&_bundle=me.see-saw.android_parent&_build=1584703&_model=GOOGLE+Android+SDK+built+for+x86&_install_id=732b4c9e-dbf0-4ecb-ad31-188bf4e51901&_tz_offset=0
- Jaeho Lee (Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
RAW Paste Data