SIK-2017-042

Title:

SQLi in Picture Cloud from CoupleVow App

Report ID

SIK-2017-042

Summary:

Vendor: 애펙스 주식회사
Product: Couple Vow (Package-Name: com.ms.coupleobserver)
Affected Version: 3.0.2
Severity: medium
Short summary: Accessing all pictures form all users via SQLi.

Details:

The app allows to share pictures between two users. Only these users shall have access to the pictures. For accessing your pictures, the app sends a request to a cloud service with the names of the two users. Just by giving the names, the cloud returns the pictures. By knowing the names of two connected users, an adversary can access their pictures.

Even worse, the webpage is also vulnerable against an SQL injection attack, which allows an attacker to access every picture from every user:

http://*****/*****/*****/******/index.php?page=5&name=' or ''='&name2=test

Workaround

–

Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation

Timeline

2017-08-09 Vulnerability Discovered
2017-08-09 Contacted developer
2018-08-11 Published