Leaking Credit card Activity in logs? Yes Sir!

Hello again,
This is the easiest bug you can find while testing an android application. When you report it, you’re gonna be the problem for the developers because this bug must not happen.

Image for post
Image for post
That's not how my invitation looked like

I was invited to a private program, and I saw that they have an Android application so I decided to test on it.

I used Genymotion to install the App and used it with burp suite.

I started understanding what this app does and how it works. The app is used to send an receive money at the same time you can use it for donations, birthday gift sharing, buy me a pizza etc..

After doing a lot of tests, (to make it short) I decided to open 2 accounts to start testing the “buy me a pizza” feature. Using burp I intercepted the requests and everything was fine and correctly set.

Image for post
Image for post
just an image from google

Almost everything was perfect, until I opened my phone and using termux I was checking my /res directory in the app installed also on my phone so this idea came to me which made me find the “leak”

using Santoku OS (you can find more info about it online) I used it to connect to my phone, there I started the logging and monitored what was going on while I am using the app and when I decided to add Credit card information and I saw that it was being logged.

Image for post
Image for post

Other than the problem of your CC information being logged, the issue is that you can see these logs while your phone is not rooted .

Also , every activity was getting leaked in the logs related to the CC and transactions made

Got a bounty of 800$ and I learned something new that I usually don't check.

have a nice day and happy hunting.

Twitter: komradz86 Aka Rody Rod

Armenian Lebanese Living in Germany, Hacker, Gamer and a Father up for challenges.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store