SIK-2017-048

Title:

Complete Access to all SMS Conversations of all users in GirlFriend Cell Tracker App

Report ID

SIK-2017-048

Summary:

Vendor: SoftSquare InfoSoft
Product: GirlFriend Cell Tracker App (Package-Name: com.omrup.cell.tracker)
Affected Version: 1.20
Severity: High
Short summary: The app stores the SMS conversations of the user in the backend. All conversations are freely available to an attacker.

Details:

The API endpoint for the SMS conversations is called get_sms. The full Url is http://omsquare.in/grilfriend_celltracker/api/get_sms. Using a HTTP POST method one can obtain sms for a specific user by calling:

POST http://****/****/api/get_sms

{
    "cnt":"{number of conversations}",
    "user_id":"{user id}"
}

By changing the user id to any valid user id, one can obtain the conversations for a specific user. Even wore, leaving out the user id field completly, one can obtain the SMS conversations for all users.

Workaround

There might not be any. The backend is not protected by any access control mechanism. Anyone can crawl the endpoint. A user cannot delete SMS once uploaded. Deleting the app / removing access to SMS can be a protection against future attacks.

Suggested Mitigation

The backend is broken on a conceptional level. Please implement a proper access control mechanism. The OWASP Access Control Cheat Sheet may help.

Timeline

2017-08-09: Vulnerability Discovered
2017-08-29: First Email sent to developer
2018-08-11: Published