MakeMyTrip 7.2.4 – Information Disclosure

• Exploit Database
• 14 阅读

• 作者： Divya Jain
  日期： 2018-05-22
• 类别：

  • local
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/44690/

• # Exploit Title: Android Application MakeMyTrip 7.2.4 - Unencrypted Database Files
  # Date: 2018-05-21
  # Software Link: MakeMyTrip v7.2.4 Android Application 
  # Exploit Author: Divya Jain
  # Version: 7.2.4 Android App
  # CVE: CVE-2018-11242
  # Category: Mobileapps
  # Tested on: Android v5.1
  
  # 1. Description
  # Android application folder was found to contain SQLite database files in the following subdirectory
  # data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases. 
  # The confidential information can be retrieved from the SQLite databases and stored in cleartext.
  # As an impact it is known to affect confidentiality, integrity, and availability.
  
  # 2. Proof-of-Concept
  # The successful exploitation needs a single authentication and filesystem can be accessed, after rooting an android device.
  # After accessing the directories below
  
  /data/com.makemytrip/databases/
  /data/com.makemytrip/cache/
  
  # Above directories can be seen with unencrypted version of database files stored in the device
  # which can further lead to sensitive information disclosure.