SIK-2017-028


Title:

Hard-Coded Database Credentials in „Rastreador de Celular Libre“

Report ID

SIK-2017-028

Summary:

  • Vendor: AppDroid Aplicativos Ponto Com
  • Product: Rastreador de Celular Libre (App-Package: com.androidaplicativos.rastreadordelcelular)
  • Affected Version: 4.7
  • Severity: High
  • Short summary:
    The app contains hard-coded credentials for the backend MySQL server. This allows an attacker full access to all data.

Details:

The app directly connects to the MySQL database server in the backend without a middleware in between. The credentials used to authenticate against the MySQL database are hard-coded into the app and can easily be obtained by decompiling the app:

Host: mysql.rastreadordecelular.mobi
Username: r*********6
Password: t*********b
Database: r*********6

As a consequence, attackers can directly connect to the MySQL database and extract or modify all data stored by all users of the app without requiring any further authorization.

Workaround

None available.

Suggested Mitigation

Never place backend credentials or other sensitive data into the app. Always use a trusted middleware system to connect to the database. This middleware is responsible for checking proper user authentication and authorization such that users can only see the data they are allowed to see.

Timeline

  • 2017-08-09: Vulnerability discovered
  • 2017-08-09: Contacted developer
  • 2017-08-17: Advisory sent to developer
  • 2018-08-11: Published