SIK-2016-043


Title:

Free Premium Features Unlock for My Passwords

Report ID

SIK-2016-043

Summary:

  • Vendor: Erkan Molla
  • Product: My Passwords
  • Affected Version: 6.0.0
  • Severity: low
  • Short summary:
    The free application from the google play store can be upgraded to a premium version with additional features. An implementation flaw allows the user directly to upgrade the app without paying.

Details:

The Android app “My Passwords” has a free base version, which can be upgraded to a paid premium version. Some premium features can, however, also be activated without payment. The attacker can send specially-crafted intents to make settings that are normally only visible to paying premium customers, visible, regardless of the payment status. With the following commands (to be entered on a shell on the phone or via “adb shell”), the respective setting windows can be shown:

# unlock premium security settings
am start -n com.er.mo.apps.mypasswords/.settings.SecuritySettings --ei com.er.mo.apps.mypasswords.EXTRA_SUFCXNUQVRF 2

# unlock premium database settings
am start -n com.er.mo.apps.mypasswords/.settings.DatabaseSettings --ei com.er.mo.apps.mypasswords.EXTRA_SUFCXNUQVRF 2

# unlock premium appearance settings
am start -n com.er.mo.apps.mypasswords/.settings.AppearanceSettings --ei com.er.mo.apps.mypasswords.EXTRA_SUFCXNUQVRF 2

These setting windows are only visible temporarily. To later change the settings, the user must issue the respective shell commands again. The windows do not become available through the normal UI as they would for a paying user. Nevertheless, once the settings are configured, they are and stay effective, regardless of the payment status. An attacker can therefore issue the commands above, configure the app to his liking, and then take advantage of the otherwise unavailable settings for an unlimited period of time.

Workaround

None available.

Suggested Mitigation

The app should always check whether the user has actually paid for the premium features before showing them. Intents can be spoofed easily. Therefore, one cannot trust that certain intents are only sent when the user has paid. The checks should be done (1) before showing any configuration UI elements/activities, and (2) before executing any code that should only be available in the premium version, even if the respective settings have been enabled. The latter is important to ensure that an attacker cannot easily spoof the configuration data.

Timeline

  • 2016-11-11 Vulnerability Reported
  • 2017-02-15 Checked back with developer, no reply
  • 2017-02-17 Fixed in Version 7.2.1