SIK-2017-043

Title:

Unauthorized Changing of Email Address in CoupleVow App

Report ID

SIK-2017-043

Summary:

Vendor: 애펙스 주식회사
Product: Couple Vow (Package-Name: com.ms.coupleobserver)
Affected Version: 3.0.2
Severity: medium
Short summary: The API of the app’s backend allows changing the email address of registered users

Details:

A user registers an account with including an email-address and password for using the app. The password can be reset and the new password will be sent to the connected email address. However, the app includes some functionality for changing the connected email-address without any authorization. Therefore, an adversary can change the connected email address, trigger the password-reset process and receives the new password. Afterwards, she can login to the victims account.

Note: the implemented password reset functionality seems to contain some issues, which results in not receiving the new password via email. This prohibited us from successfully exploiting it.

curl -i -s -k  -X $'POST' \
    -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; TP601A Build/LMY47V)' \
    --data-binary $'{\"method\":\"modify_email\",\"my_id\":\"victims_userid\",\"email\":\"new@mail.address\"}' \
    $'https://*****/*****/***/'

Workaround

–

Suggested Mitigation

Allow changing mail address only after authorization.

Timeline

2017-08-09 Vulnerability Discovered
2017-08-09 Contacted developer
2018-08-11 Published