Plaintext Communication in CoupleVow App
- Vendor: 애펙스 주식회사
- Product: Couple Vow (Package-Name: com.ms.coupleobserver)
- Affected Version: 3.0.2
- Severity: medium
- Short summary: Communication for the login between app and its backend uses HTTP
The login process is realized via an HTTP connection. HTTP is a plain text protocol, which is not encrypted nor integrity protected. A man-in-the-middle adversary can eavesdrop login credentials when a user logs in and use these credentials at a later time. After login, the communication makes use of HTTPS, which is the correct way and should have been used for the login process as well.
Use a VPN connection when using this app.
Use HTTPs for communicating between app and backend.
- 2017-08-09 Vulnerability Discovered
- 2017-08-09 Contacted developer
- 2018-08-11 Published