Leaking Credit card Activity in logs? Yes Sir!

Hello again,
This is the easiest bug you can find while testing an android application. When you report it, you’re gonna be the problem for the developers because this bug must not happen.

I was invited to a private program, and I saw that they have an Android application so I decided to test on it.

I used Genymotion to install the App and used it with burp suite.

I started understanding what this app does and how it works. The app is used to send an receive money at the same time you can use it for donations, birthday gift sharing, buy me a pizza etc..

After doing a lot of tests, (to make it short) I decided to open 2 accounts to start testing the “buy me a pizza” feature. Using burp I intercepted the requests and everything was fine and correctly set.

Almost everything was perfect, until I opened my phone and using termux I was checking my /res directory in the app installed also on my phone so this idea came to me which made me find the “leak”

using Santoku OS (you can find more info about it online) I used it to connect to my phone, there I started the logging and monitored what was going on while I am using the app and when I decided to add Credit card information and I saw that it was being logged.

Other than the problem of your CC information being logged, the issue is that you can see these logs while your phone is not rooted .

Also , every activity was getting leaked in the logs related to the CC and transactions made

Got a bounty of 800$ and I learned something new that I usually don't check.

have a nice day and happy hunting.

Twitter: komradz86 Aka Rody Rod

--

--

--

Armenian Lebanese Living in Germany, Hacker, Gamer and a Father up for challenges.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Periodic Tasks with Android WorkManager

Android Room Persistence Library: Relations in a Nested One-To-Many Relationship.

Light to Dark Mode in Flutter using Provider!!

To Compose, or Not to Compose, That is the Question

The Journey of Jetpack 🚀 — Compose [I]

Introduction to Android Studio

Android Security Workshop

jCenter Dependencies in Android Studio

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rody Shahnazarian (Komradz86)

Rody Shahnazarian (Komradz86)

Armenian Lebanese Living in Germany, Hacker, Gamer and a Father up for challenges.

More from Medium

CVE-2021–43798 Grafana | Vulnerabilidade de leitura arbitrária não autorizada de arquivos

CVE-2021- 41528: Flexera / RISC Networks — Vulnerable Authorization Schema

Writeup: CSRF vulnerability with no defenses @ Portswigger Academy

Root me: Bash — System 1