
Happy Hacking Easter – Story of privacy violation into an eggshell - tshtf
http://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=12
======
verst
I once found and disclosed similar issues in an app.

The app didn't use HTTPS so it was trivial to intercept Bearer tokens.

For some reason, most API endpoints returned way more data than necessary
(e.g., when receiving a message you also get the user's last location, their
name, their latest known profile icon), so simply observing network traffic on
an Insecure WiFi network would be enough to get all the information you could
ever want (no need to actually use that Bearer token).

And of course the app collected the precise GPS location and would return a
GPS location with full precision in virtually every API response (messaging a
stranger, fetching their public profile, etc).

In my private, responsible disclosure sent to the creator I demonstrated how I
could use their private API to track the creator everywhere he goes. I think
that drove the message home ;)

I am always skeptical when an app wants my GPS location.

Since I am friends with the creator's wife, I never wrote a post about this.

------
tshtf
I'm not the author of the post, but here are some notes on this app:

500,000-1,000,000 installs:
[https://play.google.com/store/apps/details?id=com.ferrero.ma...](https://play.google.com/store/apps/details?id=com.ferrero.magickinder.tablet&hl=en)

Written by Ferrero SpA (Yes, the producers of Nutella... $8.4 billion in
annual revenue):
[https://en.wikipedia.org/wiki/Ferrero_SpA](https://en.wikipedia.org/wiki/Ferrero_SpA)

------
bugmenot3
"Last but not least, all communications are transmitted in clear text; no
encryption is involved across the whole app."

It's pretty common to send and receive API requests in clear text, since the
encryption for this part should be handled by HTTPS. But you're right, this
app only uses HTTP

~~~
tomsmeding
Correct, but https is often called encryption too, in these contexts

------
joshschreuder
Another similar privacy leak affecting children on the VTech website a few
months ago:

[http://www.troyhunt.com/2015/11/when-children-are-
breached-i...](http://www.troyhunt.com/2015/11/when-children-are-breached-
inside.html)

------
konceptz
I wish the author would have listed the types of issues at work here.

Privacy violation is the result of a few types of issues including JSON
injection and horizontal privilege (maybe vertical) escalation.

Also, providing fixes could help lend a hand to developers, both the creators
and readers of this post.

Please don't take this post as negative, it's a very nice finding which I'm
glad is public to the point of helping our user information become safer, and
for that I thank you author.

~~~
hobs
The app authors could have simply read OWASP and been fine, this appears to be
direct object access issues, in other words, they had no check to verify that
the user sending the request actually had permission to any of the things they
requested.

Everything else is just manually issuing commands to a "RESTful" interface
which does not care which account issues the command.

[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

