Last week, when coming across this report https://securelist.com/surviving-in-an-iot-enabled-world/72595/, I find it’s very interesting that developer hardcoded credentials to a Gmail account in his App. In order to figure out how many Apps impacted by this flaw, I turn to Janus for help. The query https://www.appscan.io/search-app.html#type=app&q=strings:&page=1&hidecount=true&val=strings:%22smtp.gmail.com%22 returns about five thousands Apps! Except the email service provider Apps, most of them are likely to encolose Gmail credentials in their Apps.
I casually choose some of the App for testing. Some of them are out of date Apps which has changed the email credentials, and some of them are blocked in the logging prcoess by the double check policy of Gmail. At last, when coming to OCBC App, a Singapore’s banking App, I find it’s credential is valid, and in the verification stage, the backup email address in the App can help me to bypass the double check. I am luckly to successfully login.
Credentials for this App are:
Username: ****.mib@gmail.com
Password: ****mib!@#
Backup email: ****.phyo@aleph-labs.com
The story is not ending yet. Except for the well known email provider, “smtp.gmail.com” in this case, there are lots of localized email provider can be used by Apps. So, how many email credentials are indeed in Apps? I don’t know.