SIK-2017-056

Title:

SQLi in Couple Vow app leaks all user credentials (passwords in plaintext)

Report ID

SIK-2017-056

Summary:

Vendor: 애펙스 주식회사
Product: Couple Vow (Package-Name: com.ms.coupleobserver)
Affected Version: 3.0.3
Severity: high
Short summary: All user credentials can be accessed via SQLi. Passwords are returned in plaintext.

Details:

Once a username has created an account with her smartphone, the server stores the user credentials together with the device ID of the user.
When reinstalling the app, the app sends the device id to the server in order to check whether an account has already been created for this device before.
If so, the server responses with the username, password and email address belonging to the device id.

As you can see in the request below, the device id is sent in a json object to the server.
The content of the deviceid field not properly sanitized and vulnerable against SQL injection attacks.
With this request, it is possible to get credentials for one user.
By changing the offset, another entry can be accessed.

POST http://*****/couplevow/v5/
Content-Type: application/json
{"method":"getuserid","deviceid":" ' or 1=1   limit 1 offset 5 --  "}

Workaround

–

Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation

Timeline

2017-08-23: Vulnerability Discovered
2017-08-29: First email to developer
2018-08-11: Published