zachi40/vulnerablty on LinkPlay

## vulnerablty on LinkPlay
From: Lifeng Zhao <lifeng.zhao@linkplay.com>
Sent: Sunday, December 12, 2021 5:03 PM
To: Hidden
Subject: Re: Security Vulnerability

*** The Answer ***
Hi Hidden,
Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support.

Best,
Lifeng

From: Hidden
Date: 2021-12-12 21:24
To: security@linkplay.com
Subject: Security Vulnerability


*** The vulnerability ***

Bug Type: Hard-coded secret key
Impact: RCE, Supply chain attack
Platforms: IOS + Android applications
Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below).
It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe.
We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion.
Summary:
We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app.  It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities

In details:
We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha).
To exploit this, you can add the API key to each request sent to the server.
1.Within the SoundBar application, we found the password of certificate_new_encrypted.p12 SSL certificate file. Using this certificate,  we can communicate with the Soundbar device on port 443.

Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding.
As a result, we can communicate with HTTPS requests with the device.

2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB….
We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications.


3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2).

Thus, it is vulnerable to the following CVEs:
1. CVE-2020-7931
2. From the frog website

Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps:
·https://play.google.com/store/apps/details?id=com.medion.speaker
·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha
·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle
·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier
·https://play.google.com/store/apps/details?id=com.wifiaudio.jam
·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ
·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice
·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B
·https://play.google.com/store/apps/details?id=com.ihome.ama
·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome
·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative
	From: Lifeng Zhao <lifeng.zhao@linkplay.com>
	Sent: Sunday, December 12, 2021 5:03 PM
	To: Hidden
	Subject: Re: Security Vulnerability

	* The Answer *
	Hi Hidden,
	Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support.

	Best,
	Lifeng

	From: Hidden
	Date: 2021-12-12 21:24
	To: security@linkplay.com
	Subject: Security Vulnerability


	* The vulnerability *

	Bug Type: Hard-coded secret key
	Impact: RCE, Supply chain attack
	Platforms: IOS + Android applications
	Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below).
	It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe.
	We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion.
	Summary:
	We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities

	In details:
	We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha).
	To exploit this, you can add the API key to each request sent to the server.
	1.Within the SoundBar application, we found the password of certificate_new_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443.

	Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding.
	As a result, we can communicate with HTTPS requests with the device.

	2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB….
	We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications.


	3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2).

	Thus, it is vulnerable to the following CVEs:
	1. CVE-2020-7931
	2. From the frog website

	Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps:
	·https://play.google.com/store/apps/details?id=com.medion.speaker
	·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha
	·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle
	·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier
	·https://play.google.com/store/apps/details?id=com.wifiaudio.jam
	·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ
	·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice
	·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B
	·https://play.google.com/store/apps/details?id=com.ihome.ama
	·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome
	·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative