SIK-2017-044


Title:

Plaintext Communication in CoupleVow App

Report ID

SIK-2017-044

Summary:

  • Vendor: 애펙스 주식회사
  • Product: Couple Vow (Package-Name: com.ms.coupleobserver)
  • Affected Version: 3.0.2
  • Severity: medium
  • Short summary: Communication for the login between app and its backend uses HTTP

Details:

The login process is realized via an HTTP connection. HTTP is a plain text protocol, which is not encrypted nor integrity protected. A man-in-the-middle adversary can eavesdrop login credentials when a user logs in and use these credentials at a later time. After login, the communication makes use of HTTPS, which is the correct way and should have been used for the login process as well.

Workaround

Use a VPN connection when using this app.

Suggested Mitigation

Use HTTPs for communicating between app and backend.

Timeline

  • 2017-08-09 Vulnerability Discovered
  • 2017-08-09 Contacted developer
  • 2018-08-11 Published