
DoorDash Android app stores credentials in plain text in the log during auth - robin0
https://coocoor.com/advisory/cve/CVE-2019-17397/
======
fingerlocks
To exploit this and acquire the door dash account credentials: One must first
gain access to an individual’s device and the device password to grant adb
access on an untrusted machine. Then grep the door dash request from logcat
while simultaneously initiating a door dash auth challenge using the very same
credentials you are trying to acquire.

I’m not saying plaintext credential logging is at all acceptable, but I’m also
not sure this is headline worthy. Unless I’m missing something?

~~~
robin0
Any app installed on old versions of Android prior to Jellybean can access
Logcat without any permission.

~~~
fingerlocks
The minimum target API level for the play store has been higher than that for
a year now.

