Advisory

L’Oréal Finance, investors (Android) Vulnerability

L'Oréal Finance, investors is a finance App, which can be accessed via https://play.google.com/store/apps/details?id=com.investis.lorealIR or https://www.appscan.io/search-app.html#type=app&q=all:&page=1&val=Finance,%20investors.

Vendor of this App has made a mistake to hard code their credential for Amazon SNS in this App. The credentials are ****C3XA and ****Z42H seperately. With this credential, an attacker can make an unauthorized access and fully control the SNS system, pushing notification to client for instance.

Since we can not contact the App vendor, we post this vulnerability here. Till now, the App is still in a fragile state, we can’t talk too much about this vulnerability.