during analysis i went towards the juicy part “shared_pref.xml” and hopefully it was having something for me 😀 i digged furthur and founded that it was leaking the fb_access token in clear text :O i then i tried to check what can be its impact but before doing that i checked the validity of the token and related permission to it . so i opened up the facebook graph api explorer and paste that fetched token in the api and debugged it and other interesting things which i founded were that it was having publish actions ! and long existing time of (2 months ).
So why this is an issue ?
According to OWASP
It is important to threat-model your mobile app to understand the information assets it processes and how the underlying APIs handle those assets. These APIs should store sensitive information securely. Places OWASP most often sees data being stored insecurely include the following:
- SQLite databases
- Log Files
- Plist Files
- XML Data Stores or Manifest Files
- Binary data stores
- Cookie stores
- SD Card
- Cloud syncedLet me give you a scenario that .
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc .
Let me give you a scenario that .or possible explanation.
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc.
so it was a insecure data storage issue
i immediately reported to facebook about this issue and was waiting eagerly for their reply 😀 .
[+] Tested on 4.2 jellybean android emulator .
Tools used :
[+]Reported on 11 December 2014 14:33
Video poc :
And this was the reply
Facebook security : If your device was rooted ? then its not our issue !
But still i was not happy with their answer and tried to explain furthur this time some core member of their dev team replied me this
“we appreciate your report but currently I’m going to close out this report. If you feel you have more information to add, feel free to reopen it and add that information.
and they closed it again .
so , later on i asked twitter security team about the same context issue ?
Ans: Hi vishwa thanks for reaching to us we don’t have any issue regarding to the context of device being rooted . if you got any serious issue then we are in eager to hear that .
twitter dev team .
Similarly i went through the yandex security team and their reply was the same as twitter regarding to the context .
so this was all guys
thank you for reading this better luck next time #never give up 🙂