Information disclosure in CoupleVow App
- Vendor: 애펙스 주식회사
- Product: Couple Vow (Package-Name: com.ms.coupleobserver)
- Affected Version: 3.0.2
- Severity: low
- Short summary: When using the „forgot password“ capability, the email address is displayed to the user
When using the „forgot password“ function, the username needs to be entered and the app will show you the email address of the user to which the password-reset link has been sent.
In this way, an attacker can get email addresses belonging to userids.
POST /****/****/ HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; TP601A Build/LMY47V)
HTTP/1.1 200 OK
Date: Wed, 09 Aug 2017 15:30:02 GMT
Server: Apache/2.2.3 (CentOS)
Don’t display the email address.
The user should know her email address by herself.
- 2017-08-09 Vulnerability Discovered
- 2017-08-09 Contacted developer
- 2018-08-11 Published