usd-2018-0024 | Shpock App for Android & Iphone/current


Advisory ID: usd-2018-0024
CVE Number: N/A
Affected Product: Shpock App
Affected Version: unknown
Vulnerability Type: Username Enumeration
Security Risk: Low
Vendor URL: https://www.shpock.com/
Vendor Status: Fixed

Introduction

Because the app shows different error messages for existing and non-existing accounts, an attacker can test whether an account exists for a given email address.

If you type an incorrect Email-Address and Password into the shpock-mobile-app login form, it responds with the message:

„Die eingegebene Email-Adresse ist mit keinem Account verbunden“

If you use a registered email-address a window pops up which says:

„Hinweis!
Das Passwort und die E-mail-Adresse, die du eingegeben hast, stimmen nicht überein.
Wenn du dich an dein Passwort nicht erinnern kannst, tippe auf den „Passwort vergessen?“-Button.“

An attacker can write a script that, for instance, tries all emails from a list of leaked email addresses. This gives him information about which addresses are registered with the service.
Based on this, he could selectively attack individual registered accounts.

Proof of Concept 

Fix

If a user enters incorrect credentials, generally reply with something like this:

„Incorrect Username ** or ** Password“

Timeline

  • 2018-09-10 Created advisory
  • 2018-09-10 notified info@shpock.com
  • 2018-10-08 notified info@finderly.com
  • 2018-10-15 initiated transfer
  • 2018-10-22 Vendor fixed the issue
  • 2018-12-07 Security advisory released

Credits

This security vulnerability was found by Yannick Westphal of usd AG.