Safety consultants have revealed two vulnerabilities they present in a preferred social app which may allow account takeover (ATO) or buyer information loss.
The now-patched points got a medium CVSS score. They seem in Zenly, a smartphone app that enables customers to see the place family and friends are on a map.
The primary bug exposes customers’ cellphone numbers and will subsequently be used to craft plausible vishing assaults, in keeping with researchers at Checkmarx.
“When submitting a buddy request to a person, Zenly will permit entry to their cellphone quantity no matter whether or not the buddy request is accepted or not. To acquire this data, a malicious actor solely must know their username,” they defined.
“Whereas acquiring a username may very well be a tough activity by itself, it’s made simpler by the very fact Zenly additionally exposes an exhaustive record of mates of a person. Because of this, for acquiring the cellphone variety of a person, a malicious actor doesn’t must know their username at the beginning, however is ready to comply with a series of mates till considered one of them has the sufferer of their mates record.”
Checkmarx warned that the bug may very well be exploited to focus on CEOs or senior determination makers in organizations who could also be utilizing the app, through different customers within the group.
The second ATO vulnerability stems from the way in which the Zenly API handles session authentication.
It usually calls a “/SessionCreate” endpoint with the cellphone variety of the person, which then creates a session token, and sends an SMS verification code to the person. It then calls the “/SessionVerify” endpoint with each the session token and the verification code acquired by SMS, as a way to log the person in.
“An attacker can take over a person account by abusing the /SessionCreate endpoint, which is able to constantly return the identical session token (though not but legitimate) for a similar person. As soon as the reliable person validates the SMS code for that session token, the session will change into legitimate for each the reliable person and the attacker,” Checkmarx defined.
“The primary level of this difficulty is that the attacker must receive a session token earlier than the reliable person calls the /SessionVerify endpoint. This may be accomplished both earlier than or after the reliable person calls the /SessionCreate endpoint.”
Nonetheless, this isn’t essentially easy to realize, therefore the CVSS rating of 4.7. It could require the attacker to know the sufferer’s cell and have data of when the sufferer will login, join, register a brand new system or undergo the authentication stream for different causes.
Checkmarx thanked Zenly for its professionalism, cooperation and immediate possession in working to repair the problems.