Title:

Complete Traffic Dumped to Logcat in Miles&More App

Report ID

SIK-2016-017

Summary:

• Vendor: Miles & More GmbH

• Product: Miles&More App for Android

• Affected Version: December 6, 2016 (Platform Build Version Name 6.0-2704002, Version Code 1612051910)

• Severity:Medium

• Short summary:
  All traffic data (requests and responses) are written to Logcat. This effectively renders the TLS encryption useless. An attacker with access to the Logcat data can extract the user’s credentials from the login request and the authentication token generated by the server from the server’s response.

Details:

The app uses the okhttp library with the debug flag enabled. As a consequence, the okhttp library writes all http(s) requests and responses into Logcat. This is a critical data leak, because the login request contains the user’s credentials, which then also appear in Logcat. Furthermore, since the server’s response is also written to Logcat, the authentication token generated by the server appears in Logcat as well. An attacker with access to the Logcat output can obtain these values and impersonate the user. He can then view the user’s profile information containing all the sensitive information (which is available to him anyway, because this data appears in Logcat anyway when it is requested by the real user).

Workaround

Deactivate the debug flag in the okhttp library

Suggested Mitigation

Deactivate the debug flag in the okhttp library and double-check that no sensitive information is written into Logcat at any position inside the app.

Timeline

• 2016-12-13 Vulnerability Discovered
• 2016-12-15 Vulnerability Reported
• 2016-12-19 Vulnerability Fixed