usd-2018-0024 | Shpock App for Android & Iphone/current

Advisory ID: usd-2018-0024
CVE Number: N/A
Affected Product: Shpock App
Affected Version: unknown
Vulnerability Type: Username Enumeration
Security Risk: Low
Vendor URL: https://www.shpock.com/
Vendor Status: Fixed

Introduction

Because the app shows different error messages for existing and non-existing accounts, an attacker can test whether an account exists for a given email address.

If you type an incorrect Email-Address and Password into the shpock-mobile-app login form, it responds with the message:

„Die eingegebene Email-Adresse ist mit keinem Account verbunden“

If you use a registered email-address a window pops up which says:

„Hinweis!
Das Passwort und die E-mail-Adresse, die du eingegeben hast, stimmen nicht überein.
Wenn du dich an dein Passwort nicht erinnern kannst, tippe auf den „Passwort vergessen?“-Button.“

An attacker can write a script that, for instance, tries all emails from a list of leaked email addresses. This gives him information about which addresses are registered with the service.
Based on this, he could selectively attack individual registered accounts.

Proof of Concept

Fix

If a user enters incorrect credentials, generally reply with something like this:

„Incorrect Username ** or ** Password“

Timeline

  • 2018-09-10 Created advisory
  • 2018-09-10 notified info@shpock.com
  • 2018-10-08 notified info@finderly.com
  • 2018-10-15 initiated transfer
  • 2018-10-22 Vendor fixed the issue
  • 2018-12-07 Security advisory released

Credits

This security vulnerability was found by Yannick Westphal of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.