During our examination of the application, we discovered several Critical, High, Medium, and Low vulnerabilities.
Firstly, we found “Credentials exposed in WebSocket Response”. To find this vulnerability, we logged in with a valid username and sent a request to the URL to observe that the response had details like a hash password.
When we logged in with a valid user such as User1, tapped on the “Profile Settings” feature and intercepted the request, it returned the hash password of User 1 on the response side. When the user ID of User1 was changed in the URL to another user ID known as User2, the name and password of User 2 were returned. That’s how we discovered the “Authorization Bypass Via IDOR- View Information of other user” vulnerability.
We’ve discovered that the application code was not obfuscated. This was uncovered by reversing the application, and we’ve discovered that the source code is in a readable and understandable form.
We spun the Android device, accessed the shell and navigated to the shared preference directory. When we opened a particular file, the file contained the “UserAuth” token. We’ve identified “Insecure Local Storage in Shared Preferences” through this.
We unmasked the “Authorization Bypass via IDOR- View Group Members of Other Group” vulnerability when we logged in as a valid user and tapped on to any existing group. When we tapped on a particular group to access group information, it came to light that the URL on the response side exposed the entire information of group members of the particular group. Later, we logged in with another User, clicked on another group, noted the ID of Channel 1 (channel id1) and logged out. We changed the value of the parameter from “channelid1” to “channelid2” and observed that the “channel name” and data are different on the response side.
We’ve also discovered “Unrestricted file upload”. Where the malicious user could upload an image. The attacker selected an image file and changed the extension of the file from “.jpeg” to “.exe”. The attacker then sent a success message indicating that the file had been uploaded successfully and sent the URL to the victim. If the victim clicks on the URL, a file will be downloaded and their system might get compromised.
During the application assessment, we found that sensitive information could be logged. The “Authorization” token is not terminated after the logout feature.
We’ve also discovered that the app communicates with servers using “cleartext network traffic”, such as HTTP. And the traffic risks are being eavesdropped upon and tampered with by third parties. This can lead to information leakage and unauthorized content or exploits being injected into the app.
The hash function used in the application is old and insecure, allowing an attacker to conduct a hash collision attack without changing the hash. Additionally, the application uses the MD5 hashing algorithm for passwords.
Finally, we discovered that the app was insecure and gave unknown permissions.