usd-2018-0024 | Shpock App for Android & Iphone/current

Advisory ID: usd-2018-0024
CVE Number: N/A
Affected Product: Shpock App
Affected Version: unknown
Vulnerability Type: Username Enumeration
Security Risk: Low
Vendor URL: https://www.shpock.com/
Vendor Status: Fixed

Introduction

Because the app shows different error messages for existing and non-existing accounts, an attacker can test whether an account exists for a given email address.

If you type an incorrect Email-Address and Password into the shpock-mobile-app login form, it responds with the message:

„Die eingegebene Email-Adresse ist mit keinem Account verbunden“

If you use a registered email-address a window pops up which says:

„Hinweis!
Das Passwort und die E-mail-Adresse, die du eingegeben hast, stimmen nicht überein.
Wenn du dich an dein Passwort nicht erinnern kannst, tippe auf den „Passwort vergessen?“-Button.“

An attacker can write a script that, for instance, tries all emails from a list of leaked email addresses. This gives him information about which addresses are registered with the service.
Based on this, he could selectively attack individual registered accounts.

Proof of Concept

Fix

If a user enters incorrect credentials, generally reply with something like this:

„Incorrect Username ** or ** Password“

Timeline

2018-09-10 Created advisory
2018-09-10 notified info@shpock.com
2018-10-08 notified info@finderly.com
2018-10-15 initiated transfer
2018-10-22 Vendor fixed the issue
2018-12-07 Security advisory released

Credits

This security vulnerability was found by Yannick Westphal of usd AG.

usd-2018-0024 | Shpock App for Android & Iphone/current

Introduction

Proof of Concept

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns