I am not allowed to disclose any information regarding the company I’ve just hacked. I have informed them about all the vulnerabilities that led me to this exploit and they are still working on a fix.
The story begins a week ago, watching yet another Youtube video.
The annoying ad is starting, 5 seconds left and I will be procrastinating like no one’s watching.
Oh wait, what am I seeing ? A company just started to advertise its new dating app in my country !
I will finally go through the whole ad without skipping it and it wasn’t too bad tbh. So I decided to go on and install it on my mobile phone. Once again, the app is cool, no fancy stuff but it’s ok.
I couldn’t stop wondering “Well, has it ever worked ?” and first matches never came.
Oh boy, don’t you know my hacking skills
I recently heard on TV that love could occur at work, at gym, at events and so on.
What about leveraging on vulnerabilities to find my soul mate ?
The whole process
Yet another unpaid bounty and Burp Suite Community Edition was launched.
Configured my Android phone to use Burp Proxy and launched the dating app which we’ll call SoulMate.
No request is being intercepted at all.
I spent some minutes trying to figure out why requests weren’t being intercepted while the application was perfectly running.
Way too lazy to ask StackOverflow about it, I decided to take another road for making my recon phase efficient.
Jadx, there you are
Abstract taken from http://www.javadecompilers.com/apk
This is what happens when you’re to use Jadx:
Actually this happens perfectly only if there’s no hard security strategy at APK level (uglifying, minimizing, refactoring processes = lot of stuff to make code neither readable nor understandable)
Now using this decompiler I started to dive deep into lines of code. File by file, from resources to actual Java logic.
As I’ve been dealing with Android mobile apps for my job I’m familiar with the file structure and frequently used libraries.
I’ve been lucky enough to get almost everything, readable and understandable.
Credits to ma-polimi : https://www.slideshare.net/ma-polimi/how-to-create-an-application-in
Such an excitement ! My recon phase was finally on a good track.
Harvesting Java sources, I stumbled upon :
Looking further, this is what I found :
Postman was Launched
If you’re unfamiliar with this tool I’d describe it as the best GUI ever made for creating HTTP requests and analyze responses. It has tons of features and I spend 99% of my time on it to test my REST APIs.
I couldn’t wait so I did a dumb reproduction of the request in Postman which is here :
AND GUESS WHAT ???
So far I was really happy about my discovery. I was able to loop through all the userid (1 to ~5000) with a Python script and get all the data (which I did not).
Everything could have stopped there
I decided to go even further and to my eye it seemed that the password was a MD5 hash so I went on md5decrypt.
Hooray !!! The password is in the hash database.
I am now able to log into almost all the accounts of the app.
It means that I can actually :
- Send and read messages
- Like my own profile to get matched in seconds
- Delete or modify the account
- Usurp e-identity
Could I have stopped there ?
The issue is now huge.
Come on, my first goal was to find my soul mate and those guys just gave me a free ticket to unlimited matches with the most beautiful girls of my country.
I wondered : “Dude, (actually talking to myself) do you think that those users have the same password on both this app and their mail account ?”
How kind of you ❤️
And it just got real.
I will be honest : After all, this was just a daily challenge as of my everyday white-hacking habit. Nevertheless, for the sake of my curiosity I tried and could successfully log into ~30 mail accounts out of 45 tested.
The result is terrifying.
If a black hat were to stumble across such a vulnerability, it could be a dramatic disaster for the victims that just wanted to find love.
Last words
I contacted the company about this issue and got a response like “We’ll fix it, thank you very much”.
The company isn’t running a bug bounty program, yet I’m still dreaming of something like this for the incoming weeks :
“Close-up of a man's hands holding a bundle of dollar bills and a cigarette” by Jeremy Paige on Unsplash
I won’t go about protection mechanisms as it seems obvious to me that the only thing to do in this case is to implement an authentication process with whatever (JWT, http headers, an access key in the GET parameters, whatever) or to encrypt data transfers.
Regarding the Android app, a single line in the proguard clause would have thrown me off : minifyEnabled: true
Take care of your personal information.
Don’t use the same passwords everywhere.
Stop using “azerty” and “12345678”, please. (Same goes for “Azerty12”)
Thanks for reading
It’s the first time I write an article of this kind and I definitely hope you liked it.
Feel free to reach out at [email protected]
“Cappuccino in a white mug with white foam art on a wooden table” by wu yi on Unsplash