VPNの脆弱性に関する不安が広がっています。ZPAの60日間無料トライアルを利用して、VPNからの移行のメリットをお確かめください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

Monster Is Lurking….Beware!!!!

image
THREATLABZ
1月 03, 2013 - 2 分で読了


 

    Monsterindia.com is a very popular Indian job search website and a subsidiary of Monster Worldwide.  If you are using Monster job search app for Android then you need to be aware of the fact that it’s leaking your username and password in clear text. Beyond this, it also leverages weak authentication encoding. If we sniff the traffic we can easily get username and password as they are sent via HTTP (no encryption). In order to see this in action, you can leverage ZAP (Zscaler Appliation Profiler), which helps you determine the overall risk posed by apps that you have installed on your Android/iOS device.

 

 
Here is registration screen of the app.
 
Figure
 
Lets dive in and see exactly how this app is leaking data. Let’s start with an initial account registration, when first installing the app. When doing so, you’ll observe following traffic: 
 
Figure
 
 
Here, if you look closely, you can observe the highlighted text, which reveals that the e-mail address, username and password are all transmitted in clear text.
If you then subsequently login with an already established account, you’ll observe the following network traffic:
 
Figure
 
Here, I am using canary data for testing purposes and I have used ‘fnzscaler’ as the user name. As can be seen, this is again being sent in clear text to server. While not nearly as critical as the fact that the password was leaked during the account signup, there’s no reason why this traffic shouldn’t be sent via HTTPS to ensure that someone sniffing traffic on the network wouldn’t be in a position to brute force the login after obtaining your username.
Similarly if we take look at traffic on iOS device, the same thing can be observed. It is also sending the username and password in clear text during the registration process.
 
Figure
 
It is disappointing that Google’s Bouncerservice, or some other method was unable to quickly detect such simple coding mistakes and prevent an app with such a basic privacy flaw from appearing in the Google Play Store, until the issues are addressed.
For security purposes, I recommend that you check the risk score of apps on your mobile device, using ZAP. It can help to uncover high risk applications on the iOS and Android platforms. 
 
Be careful while using such apps.
 
 
 

 

form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。