Hard-Coded Database Credentials in „Phone Tracker By Number“
- Vendor: AppDroid Aplicativos Ponto Com
- Product: Phone Tracker By Number (App-Package: com.androidaplicativos.phonetrackerbynumber)
- Affected Version: 2.3
- Severity: High
- Short summary:
The app contains hard-coded credentials for the backend MySQL server. This allows an attacker full access to all data.
The app directly connects to the MySQL database server in the backend without a middleware in between. The credentials used to authenticate against the MySQL database are hard-coded into the app and can easily be obtained by decompiling the app:
Host: mysql.androidaplicativos.com Username: a*********4 Password: P*********k Database: a*********4
As a consequence, attackers can directly connect to the MySQL database and extract or modify all data stored by all users of the app without requiring any further authorization.
Never place backend credentials or other sensitive data into the app. Always use a trusted middleware system to connect to the database. This middleware is responsible for checking proper user authentication and authorization such that users can only see the data they are allowed to see.
- 2017-08-09: Vulnerability discovered
- 2017-08-09: Contacted developer
- 2017-08-17: Advisory sent to developer
- 2018-08-11: Published