# Title: Seesaw Parent & Family app - Logging Sensitive Information
# Application: Seesaw Parent & Family
# Version: 6.2.5
# Software Link: https://play.google.com/store/apps/details?id=seesaw.shadowpuppet.co.seesaw
# Company: Seesaw
# Impact: hackers can get username and password of Seesaw Family, looking at the log.
# Category: Mobile Apps
# Tested on : Android 9
Seesaw Family, the popular education app installed more than 1 million, stores username and password in Logcat. So, hackers can obtain the username and password of the app, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
After reporting, they have fixed this problem quickly and released a new version.
1. Try to log in the Android app.
- Opening Login UI
- Enter credentials. Fake information is enough for reproducing.
2. Search the password in the log
$ adb logcat | grep 'password'
D Retrofit: ---> HTTP POST https://app.seesaw.me/api/auth/login?classes=1&email=jaeho.lee%40rice.edu&password=MyPasswordIsHere&role=parent&_bundle=me.see-saw.android_parent&_build=1584703&_model=GOOGLE+Android+SDK+built+for+x86&_install_id=732b4c9e-dbf0-4ecb-ad31-188bf4e51901&_tz_offset=0
Jaeho Lee (Jaeho.Lee@rice.edu)
Rice Computer Security Lab