SQLi in Picture Cloud from CoupleVow App
- Vendor: 애펙스 주식회사
- Product: Couple Vow (Package-Name: com.ms.coupleobserver)
- Affected Version: 3.0.2
- Severity: medium
- Short summary: Accessing all pictures form all users via SQLi.
The app allows to share pictures between two users. Only these users shall have access to the pictures. For accessing your pictures, the app sends a request to a cloud service with the names of the two users. Just by giving the names, the cloud returns the pictures. By knowing the names of two connected users, an adversary can access their pictures.
Even worse, the webpage is also vulnerable against an SQL injection attack, which allows an attacker to access every picture from every user:
http://*****/*****/*****/******/index.php?page=5&name=' or ''='&name2=test
There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation
- 2017-08-09 Vulnerability Discovered
- 2017-08-09 Contacted developer
- 2018-08-11 Published