Created
October 27, 2017 19:23
-
-
Save anonymous/603b89f864a71426042b167cab557efa to your computer and use it in GitHub Desktop.
Auditing WriteDiary.com (CVE-2017-15581 & CVE-2017-15582)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
General note: The developer and owner of both the webapp and android app has been contacted multiple times to develop a quick fix for the issues addressed in this blog post and a vulnerability concerning the webapp which isn't described here. However, no response has been received. | |
WriteDiary consists of a webapp (WriteDiary.com) and an android app (version 4.72). For the audit, the android app was the primary target. | |
CVE-2017-15581: Lack of HTTPS-usage, lack of user data encryption when transmitting: | |
==================================================================================== | |
In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS (check strings.xml for api_url_prod: http://diary.adpog.com/api2) nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of secrets and feelings," which allows remote attackers to obtain sensitive information by sniffing the network during LoginActivity or NoteActivity execution. | |
Vulnerability type: Plaintext data transport | |
Affected Product Code Base: WriteDiary - 4.72 | |
Affected Component: LoginActivity, NoteActivity* | |
Impact: Information Disclosure of sensitive data (diary entries, login data) | |
----------------------------------------------------------------------------- | |
CVE-2017-15582: Usage of static AES parameters: | |
=============================================== | |
In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries. The specific values are: | |
secret key = "f8djD2kfdU31wuRu" | |
iv = "aBcNvn71dkdjf8hf" | |
Vulnerability type: Hard coded AES parameters | |
Affected Product Code Base: WriteDiary - 4.72 | |
Affected Component: net.MCrypt | |
Impact: Information Disclosure of sensitive data (diary entries) | |
----------------------------------------------------------------------------- | |
Additional note (not relevant for the reported CVEs): | |
===================================================== | |
Further analysis showed that the data stored on the webapplication server is not encrypted. This means, that the whole concept isn't as private as it claims it is. On top of that, there's a built-in backdoor which lets the administrator access the confidential diary entries of every user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment