Title:

SQLi in Login Form from GPS Location Tracker App

Report ID

SIK-2017-039

Summary:

• Vendor: SeeBetaApp
• Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
• Affected Version: 2.6
• Severity: high
• Short summary: SQLi in Login form breaks authentication

Details:

The app uses a backend in which the user needs to login in order to use the service. A user is identified by her phone number and authenticated by a user-defined password. Phone number and password are transmitted over an insecure network channel (http) via get parameters. The backend does not sanitize the given input properly, which makes the login vulnerable against SQL injection attacks:

http://******/*******/login.php?password=test' or '' = '&mobile=1234567890

With this request, an adversary can login as user with the given mobile number.

Workaround

–

Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation

Timeline

• 2017-08-09 Vulnerability Discovered
• 2017-08-10 Contaced developer
• 2018-08-11 Published