Janus Team

Protected: Find Apps use out of date “upnp” library on iTunes App Store

This content is password protected. To view it please enter your password below:

Protected: Yoyota and Lexus navigator design flaw may cause remote attack

This content is password protected. To view it please enter your password below:

Hacking email credentials in App for fun

Last week, when coming across this report https://securelist.com/surviving-in-an-iot-enabled-world/72595/, I find it’s very interesting that developer hardcoded credentials to a Gmail account in his App. In order to figure out how many Apps impacted by this flaw, I turn to Janus for help. The query https://www.appscan.io/search-app.html#type=app&q=strings:&page=1&hidecount=true&val=strings:%22smtp.gmail.com%22 returns about five thousands Apps! Except the email service provider Apps, most of them are likely to encolose Gmail credentials in their Apps.

I casually choose some of the App for testing. Some of them are out of date Apps which has changed the email credentials, and some of them are blocked in the logging prcoess by the double check policy of Gmail. At last, when coming to OCBC App, a Singapore’s banking App, I find it’s credential is valid, and in the verification stage, the backup email address in the App can help me to bypass the double check. I am luckly to successfully login.

Credentials for this App are:

Username: ****.mib@gmail.com 

Password: ****mib!@#

Backup email: ****.phyo@aleph-labs.com

The story is not ending yet. Except for the well known email provider, “smtp.gmail.com” in this case, there are lots of localized email provider can be used by Apps. So, how many email credentials are indeed in Apps? I don’t know.

 

L’Oréal Finance, investors (Android) Vulnerability

L'Oréal Finance, investors is a finance App, which can be accessed via https://play.google.com/store/apps/details?id=com.investis.lorealIR or https://www.appscan.io/search-app.html#type=app&q=all:&page=1&val=Finance,%20investors.

Vendor of this App has made a mistake to hard code their credential for Amazon SNS in this App. The credentials are ****C3XA and ****Z42H seperately. With this credential, an attacker can make an unauthorized access and fully control the SNS system, pushing notification to client for instance.

Since we can not contact the App vendor, we post this vulnerability here. Till now, the App is still in a fragile state, we can’t talk too much about this vulnerability.