Stupid vulnerability in the application "My Beeline"
This short story consists of two parts:
- Detection of a vulnerability, most likely due to the negligence of developers;
- Report on the find in Beeline.
But this post would not have appeared if everything was so simple.
Part 1. What happened?
Yesterday, debugging my application in Android Studio, I opened Logcat, and I saw that “My Beeline” flashed there. So what? I really have this application installed. Many applications write something to the log.
But. This turned out to be a HTTP request and response log. Again, this is not so scary. API request link, successful response message.
But. In addition to the link, the header contains the header and the request body, including json content (carefully formatted) and token sessions.
Then you can just make yourself popcorn, filtered by the keyword "beeline" and watch the network life of the application.
Part 2. We beat the alarm.
Of course, this can not be left. Without hesitation, I go to the website of the company mentioned above, I run around diagonally and do not find anything better than an offer to start a chat with support directly on the site. Of course, stumble on the face control in the form of a chat bot.
This was followed by the following dialogue:
Bot: Thank you for contacting our chat. Ask a question and our experts will help you find a solution.
Me: Good afternoon, accidentally discovered a vulnerability in your android application, where can I report it?
Bot: iMessage and FaceTime - technologies developed by Apple, provided for a fee. To use you need an internet connection. iMessage - allows you to send a text message to another iMessage user. Disabling the service is possible in the settings of your device: "Settings" - "Messages" - "iMessage" - disable. FaceTime is a program with which you can make video and audio calls between Apple devices. You can also disable this option in the settings of your device: "Settings" - "FaceTime" - disable. If you still have questions about the possibilities within the framework of this service, then you can contact those. Apple IPhone support: 8-800-555-67-34 (free call).
I: What?
Bot: Please specify what interests you.
I: Accidentally discovered a vulnerability in your android application, where can I report it?
Bot: iMessage and FaceTime - technologies developed by Apple, provided for a fee. To use you need an internet connection. iMessage - allows you to send a text message to another iMessage user. Disabling the service is possible in the settings of your device: "Settings" - "Messages" - "iMessage" - disable. FaceTime is a program with which you can make video and audio calls between Apple devices. You can also disable this option in the settings of your device: "Settings" - "FaceTime" - disable. If you still have questions about the possibilities within the framework of this service, then you can contact those. Apple IPhone support: 8-800-555-67-34 (free call).
I: what happens?
Bot: Reform, please, your question.
I: Accidentally discovered a vulnerability in your android application, where can I report it?
Bot: iMessage and FaceTime - technologies developed by Apple, provided for a fee. To use you need an internet connection. iMessage - allows you to send a text message to another iMessage user. Disabling the service is possible in the settings of your device: "Settings" - "Messages" - "iMessage" - disable. FaceTime is a program with which you can make video and audio calls between Apple devices. You can also disable this option in the settings of your device: "Settings" - "FaceTime" - disable. If you still have questions about the possibilities within the framework of this service, then you can contact those. Apple IPhone support: 8-800-555-67-34 (free call).
I can not imagine at all because of what the keyword bot so distorted. I was quickly bored with this conversation with the answering machine. I tried another combination and, lo and behold, background information was again thrown at me, but in the end I was offered to talk to a real person. Hurray, a certain Oleg appeared, studied my dialogue with the robot (probably sighed with relief that the robots would not replace him yet) and advised me to describe my find with screenshots to otvet@beeline.ru mail (I did not find its mention on the website, maybe badly searched). Then Oleg thanked me for help and left to help out other robots.
I, overjoyed by the progress, wrote the following to the indicated mail:
good day
I accidentally discovered that the My Beeline Android application merges into the log all API requests along with tokens and json content. In my opinion, this is a vulnerability.
Respectfully,
Kozlov Mikhail
Satisfied with himself, made himself a coffee and continued to work. Today came the answer.
Hello Michael!
It's not entirely clear what exactly is not working for you. Describe your problem in more detail.
Thank you for using Beeline services.
Best wishes,
Nekrasov Vyacheslav,
Customer support service "Beeline".
After the facepalm-ritual, to keep from writing a message that does not work for me, but for them: chat-bot, support service and application developers, I described the problem in more detail.
This time I did not have to wait long, the answer came in five minutes.
Dear Customer! We strive to keep up with the times and provide service in current communication channels. It is important for us that you receive feedback from us as soon as possible. Email support is not available. In order to get an instant answer to any question, we invite you to chat with a specialist on the site: https://beeline.ru/customers/pomosh/ or in the Mobile application: https://beeline.ru/dl ! Please note that this letter is automatically generated and no response is required. We are waiting for you in the chat on the site or in the mobile application. Your Beeline!
')
Source: https://habr.com/ru/post/428251/
All Articles