8 comments

[ 3.1 ms ] story [ 28.1 ms ] thread
"Last but not least, all communications are transmitted in clear text; no encryption is involved across the whole app."

It's pretty common to send and receive API requests in clear text, since the encryption for this part should be handled by HTTPS. But you're right, this app only uses HTTP

Correct, but https is often called encryption too, in these contexts
I wish the author would have listed the types of issues at work here.

Privacy violation is the result of a few types of issues including JSON injection and horizontal privilege (maybe vertical) escalation.

Also, providing fixes could help lend a hand to developers, both the creators and readers of this post.

Please don't take this post as negative, it's a very nice finding which I'm glad is public to the point of helping our user information become safer, and for that I thank you author.

The app authors could have simply read OWASP and been fine, this appears to be direct object access issues, in other words, they had no check to verify that the user sending the request actually had permission to any of the things they requested.

Everything else is just manually issuing commands to a "RESTful" interface which does not care which account issues the command.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

I once found and disclosed similar issues in an app.

The app didn't use HTTPS so it was trivial to intercept Bearer tokens.

For some reason, most API endpoints returned way more data than necessary (e.g., when receiving a message you also get the user's last location, their name, their latest known profile icon), so simply observing network traffic on an Insecure WiFi network would be enough to get all the information you could ever want (no need to actually use that Bearer token).

And of course the app collected the precise GPS location and would return a GPS location with full precision in virtually every API response (messaging a stranger, fetching their public profile, etc).

In my private, responsible disclosure sent to the creator I demonstrated how I could use their private API to track the creator everywhere he goes. I think that drove the message home ;)

I am always skeptical when an app wants my GPS location.

Since I am friends with the creator's wife, I never wrote a post about this.