Skip to content

Instantly share code, notes, and snippets.

@NinjaXshell
Last active August 2, 2018 14:27
Show Gist options
  • Save NinjaXshell/ba0aeee4b77b4bdea76d0c0c095d53b1 to your computer and use it in GitHub Desktop.
Save NinjaXshell/ba0aeee4b77b4bdea76d0c0c095d53b1 to your computer and use it in GitHub Desktop.
Security advisory: Unencrypted storage of information in MakeMyTrip 7.2.4
The full advisory (that includes all technical details) can be found below:
Description: Unencrypted storage of confidential information
Affects: MakeMyTrip version 7.2.4 for Android
Vendor: MakeMyTrip Android Application
Tested on: Android v5.1
Severity: Medium
Discovery: NinjaXshell
Background
MakeMyTrip is a popular application that is used to book Hotels/Flights and stores various Confidential Informations.
The Android application is advertised to secure all confidential information.
Description
Android application folder was found to contain SQLite database files in the following subdirectory data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases. The confidential information can be retrieved from the SQLite databases and stored in cleartext.
Impact
By obtaining access to the file system of an android device, an attacker can retrieve databases from the MakeMyTrip application directory. The information that can be retrieved from the content of entries in the MakeMyTrip.
An attacker can obtain access to the file system of an android device by rooting the device. Consequently, the confidentiality of information that is stored by version 7.2.4 (and possibly earlier versions) of the MAkeMyTrip application is at risk on android devices that can be rooted.
Solution
All confidential information that is stored on the device should be encrypted. If confidential data is stored in a remote location for backup purposes, the copy of the confidential data should also be encrypted.
Recommendation
The local database directly affects the confidentiality of information that is stored using version 7.2.4 of the MakeMyTrip android application. Users of the MakeMyTrip android application are therefore recommended to update the application to a version that solves the described issues or to use an alternative.
References
https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment