urlscan.io logo urlscan.io
SecurityTrails logo

deletescape.ch Open in urlscan Pro
104.198.14.52  Public Scan

Back to summary
URL: https://deletescape.ch/posts/how-to-leak-all-user-data/
Submission: On July 28 via manual from US — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

Skip to main content
 * Home
 * About
 * Posts
 * DNS
 * Press
 * Contact

Dec 29, 2019 by maia arson crimew


DEBUGGING IN PROD: MAXIMIZING USER ATTACK SURFACE

> Note: This is a su­per quick write-up and prob­a­bly still full of ty­pos and
> styl­is­tic er­rors, which you’re free to point out in the com­ment sec­tion.

One thing that’s re­ally cool about the Android de­vel­oper ecosys­tem, is the
mas­sive amount of tools and li­braries to sim­plify and help dur­ing
de­vel­op­ment. There is an en­tire sub­genre of var­i­ous re­mote de­bug­ging
tools, with cool tools such as Stetho or Debug Drawer. One such tool is
Android-Debug-Database from Mindorks, it’s a neat lit­tle util­ity that al­lows
you to view and edit your apps pref­er­ences and dbs from a web browser dur­ing
de­vel­op­ment.


Android Debug Database in ac­tion.

The key phrase here is, of course, in de­vel­op­ment, which makes sense to
every­one (and is also ex­plained in the in­te­gra­tion guide of the li­brary),
right? Well, no. During to­days Shodan sa­fari I ran­domly stum­bled into a
phone run­ning this, openly avail­able for any­one to play around with
(Brazilian ISPs hav­ing all ports open per de­fault be thanked). On closer
in­spec­tion it turns out there are thou­sands of de­vices in­dexed on Shodan
run­ning de­bug db.


This is bad.

I took a look at some of these to fig­ure out some no­table apps, here are two of
them:

 * Cinemark Brazil - 1M+ down­loads

 * No Last Seen for WhatsApp - 50K+ down­loads (yes, this al­lows read­ing all
   con­tacts and mes­sages in the db)
   
   
   Some of these apps in­clude logs of sen­sor and lo­ca­tion data.

I down­loaded Cinemark to ver­ify this for my­self, and I was in­deed able to
read and edit the ap­p’s db and prefs by open­ing the app and go­ing to
localhost:8080. This is es­pe­cially ironic con­sid­er­ing the app also uses the
ThreatMetrix sdk, which is some Enterprise Risk man­age­ment (read: cor­po­rate
spy­ware) sdk which sup­pos­edly also pre­vents cy­ber­se­cu­rity threats.

The damn­ing thing here is that we have to con­sider that most ISPs won’t al­low
ac­cess to their clients on port 8080 (at least not with­out UpNp), but this
will al­ways work in­side net­works, thus open­ing up an­other huge se­cu­rity
threat with pub­lic WiFis. This also makes me won­der how many other apps are
out there, ship­ping this to all their users and open­ing them up for at­tacks
by lit­er­ally any­one. Another ter­ri­ble thing is that this li­brary al­lows
edit­ing of the data in the db and the prefs, so the ac­tual pos­si­ble ways to
ex­ploit this out­side data ex­fil­tra­tion reach far as well.