usd-2018-0024 | Shpock App for Android & Iphone/current
Advisory ID: usd-2018-0024
CVE Number: N/A
Affected Product: Shpock App
Affected Version: unknown
Vulnerability Type: Username Enumeration
Security Risk: Low
Vendor URL: https://www.shpock.com/
Vendor Status: Fixed
Introduction
Because the app shows different error messages for existing and non-existing accounts, an attacker can test whether an account exists for a given email address.
If you type an incorrect Email-Address and Password into the shpock-mobile-app login form, it responds with the message:
„Die eingegebene Email-Adresse ist mit keinem Account verbunden“
If you use a registered email-address a window pops up which says:
„Hinweis!
Das Passwort und die E-mail-Adresse, die du eingegeben hast, stimmen nicht überein.
Wenn du dich an dein Passwort nicht erinnern kannst, tippe auf den „Passwort vergessen?“-Button.“
An attacker can write a script that, for instance, tries all emails from a list of leaked email addresses. This gives him information about which addresses are registered with the service.
Based on this, he could selectively attack individual registered accounts.
Proof of Concept
![Screenshot_20180907-145527_Shpock](https://herolab.usd.de/wp-content/uploads/sites/9/2021/07/Screenshot_20180907-145527_Shpock.jpg)
![Screenshot_20180910-120705_Shpock](https://herolab.usd.de/wp-content/uploads/sites/9/2021/07/Screenshot_20180910-120705_Shpock.jpg)
Fix
If a user enters incorrect credentials, generally reply with something like this:
„Incorrect Username ** or ** Password“
Timeline
- 2018-09-10 Created advisory
- 2018-09-10 notified info@shpock.com
- 2018-10-08 notified info@finderly.com
- 2018-10-15 initiated transfer
- 2018-10-22 Vendor fixed the issue
- 2018-12-07 Security advisory released
Credits
This security vulnerability was found by Yannick Westphal of usd AG.